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In a connected world, retreat is not an option. -. 

The new Windows Server® 2008 dodges attacks 
with built-in Network Access Protection, a 
Read-Only Domain Controller, and a Server 
Core installation option that help dramatically 
reduce vulnerabilities. So you get superhuman 
reliability. It's the server unleashed. 
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SOLUTIONS+ 

44 10 Steps for Physical to Virtual OS 
Migration 

Save your organization time and server space by performing a physical 
to virtual (P2V) OS migration using the Virtual Server Migration Toolkit 
(VSMT) and Mobile Automated Services (ADS). This mobile P2V solution 
gives you the flexibility to handle migrations anywhere in the organization. 
—ROBERT LARSON 

Why VSMT 1.1 Doesn't Support Virtual Server 2005 R2 SP1 . .45 

Adding Windows Server2003 SP2 Support to the VSMT Patch Directory. . 47 

SOLUTIONS+ 

50 Windows Server 2008 Installation— 

It’s a Snap! 

Install and begin to use Windows Server 2008, and learn how the OS is a 
very different beast than what you've experienced in the past. 

—JOHN SAVILL 

What You Need to Know About In-Place Upgrades . ,_5i_ 


32 Conquer 2 New DNS Exploits 

You understand the importance of securing your external name 
servers, but what about your DNS clients? Two new client- 
focused vulnerabilities demand your attention. 

—CRICKET LIU 

IT PRO HERO 

33 Tried-and-True DNS Wisdom 

Learn from an experienced Windows administrator, who offers 
DNS insights and practical tips for making name resolution work 
more smoothly. 

—CAROLINE MARWITZ 


FEATURES 


REQUIRED READING: SECURITY 

54 6 New Security Features in IIS 7.0 

You can sandbox applications, delegate configuration decisions, control 
access to all content types, and more with IIS 7.0 security features. 
—DEREK HATCHARD 
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59 Customize Search Features in Microsoft 
Office SharePoint Server 2007 

Set targeted search scopes, and provide custom search forms and results 
pages with MOSS 2007's Advanced Search Web part and the Search Center 
site template. 

—ANUPKAFLE 


39 PowerShell 101, Lesson 3 

PowerShell's comparison, logical, and arithmetic operators 
combined with its support for wildcards and regular expressions 
help put the "Pow" in PowerShell. 

-ROBERT SHELDON 


TRICKS & TRAPS 


16 Reader to Reader 

Discover how to open a command prompt window while installing 
Windows and properly compile and store a product key list. Learn about a 
Vista alternative and an alternative way to copy file paths. 

65 Ask the Experts 

Learn about automatic site coverage and how to disable it, find out how 
to configure how often Group Policy security settings are updated, learn 
about running a mixed environment of Exchange 2003 SP1 and Exchange 
2003 SP2 servers, and more. 
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IT Pro Perspective 

The Next Wave of Microsoft Virtualization 

As April begins, Microsoft has big news about Xbox as 
a server and amazing virtualization and management 
options. 



Paul Thurrott 


Need to Know 

What You Need to Know About Windows Homo 
Server and WGA Changes in Windows Vista SPI 

Learn why Windows Home Server is a surprisingly 
good solution for some small businesses and why 
changes to Windows Genuine Advantage in Vista SPI 

might send you scurrying to update. 



Mark Minasi 


Windows Power Tools 

Defrag from Windows Vista’s Command Line 

Every new Windows version seems to come with a 
new defrag tool, and Vista is no exception. But its 
GUI-based defragmenter leaves a lot to be desired. 
Here's how you can use the OS's Defrag command¬ 
line tool to do more. 



Free Virtualization Products 

Keep up with the fast-growing virtualization 
market by building your VMs and managing your 
environment with these free products. 


PRODUCTS 


19 New & Improved 

Check out the latest products 
to hit the marketplace. 
PRODUCT SPOTLIGHT: 
Microsoft Robert 2008 


21 Industry Bytes 

Jeff James discusses Windows 
XP SP3 and how it may impact 
migration to Windows Vista in 
the enterprise, and Caroline 
Marwitz speaks with Symark 
Software about using AD in 
heterogeneous environments. 


22 REVIEW 

Lenovo ThinkPad 
x6l 

The ThinkPad X61 isn't 
the smallest or lightest 
ultraportable available, and its 
general usability is somewhat 
lacking. But it boasts dual-core 
power and extreme portability. 
—JASON BOVBERG 


23 REVIEW 
SteelEye 
Technology 
LifeKeeper 
Protection Suite 
for Windows 

SteelEye's clustering and 
disaster recovery solution 


offers much to like, 
including support for both 
replicated and shared 
storage, easy configuration 
for both scenarios, and 
support for more complex 
failover scenarios. 
—JOHN GREEN 


25 MARKET WATCH 

SAM Minds 
Your IT Assets 

Ensure your organization 
is in compliance with 
licensing agreements, and 
keep an eye on employees' 
software and hardware 
usage with software asset 
management (SAM) 
solutions. 

—TODD ERICKSON 

Guidelines for Evaluating 
SAM Solutions . 25 

29 BUYER’S GUIDE 

Enterprise 

Patch 

Management 

Software 

Find the right patch- 
management solution for 
your environment with help 
from this evaluation of 11 
products. 

—TODD ERICKSON 
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79 Directory of Services 
79 Advertising Index 

79 Vendor Directory 

80 Ctrl+Alt+Del 


Get Foolish- AND WIN! 

Things looking a little silly in this month’s issue? Don’t worry; it’s not 
you—it’s us! In celebration of April Fool’s day, we’ve included some foolery 
throughout this issue. And if you spot what’s different, you could win a 
one-year VIP Subscription, including exclusive online access to every 
article ever printed in Windows IT Pro, SQL Server Magazine, Exchange 
and Outlook Pro VIP, Scripting Pro VIP, and Security Pro VIP; a one-year 
subscription to your choice of either Windows IT Pro or SQL Server 
Magazine ; and a VIP CD—updated and delivered twice a year. (If you’re 
already a subscriber to one of our magazines or to only the Pro VIPs, we’ll 
upgrade your existing subscription to include all of our resources.) 


Just email a list of what you’ve found to me at Christan.H ump hries@ 
penton.com by April 30th. Out of the entries with the most correct 
































































How to Implement an Effective 
Change Management Strategy for 
Group Policy 

J oin Group Policy guru Jeremy Mosko- 
witz as he describes the limitations of 
using native tools for change manage¬ 
ment, shares his best practices for Group 
Policy management, and explains how 
you can implement an effective change- 
management process. Don’t miss an 
opportunity to learn from an expert; 
download this Web seminar today! 
www.windowsitpro.com/go/seminars/ 

netiq/gpo/?partnerref=AprilCITC 

Unauthorized Applications: Taking 
Back Control 

earn why you should be con¬ 
cerned about employees installing 
and using unauthorized applications 


such as IM, VoIP, games, and peer-to- 
peer file-sharing and discover various 
approaches to controlling these unau¬ 
thorized applications. This free white 
paper suggests a simple solution that 
integrates unauthorized-application 
blocking with your existing malware 
detection and management infrastruc¬ 
ture. 

www.windowsitpro.com/go/wp/ 

sophos/control/?code=AprilCITC 

The Technology Resource Directory: 
Search; Find; Contribute 

W indows IT Pro’s exclusive tech¬ 
nology and developer directory 
is a comprehensive resource of prod¬ 
ucts, services, and training solutions. 
The searchable database provides 
maximum exposure to IT and devel- 



PRO LIVE! 


Learn from SharePoint experts Dan 
Holme and Melissa Fraser how to 
deploy and implement MOSS and 
SharePoint Services effectively in 
your organization. Take part in this 
information-packed day of technical 
training on the most common business 
uses of SharePoint. 
www.windowsitpro.com/roadshows/ 
sharepointprolive/?code=editorial 


oper solution providers worldwide. Sup¬ 
ported by the strength and credibility of 
Windows IT Pro, the directory is free to 
vendors as well as users. 
www.TechnologyResource 
Directory.com 
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The Missing Link to IT Resources 

BY CHRISTAN HUMPHRIES 


I See Resources in Your Immediate Future 


I n preparation for the April Fool’s contest we’re running 
in this month’s magazine, I wrote a hilarious column 
about how Microsoft was exploring and dabbling with open 
source. Late in February, I found out that my story was 
actually true and that I, your savvy assistant, am actually 
psychic. To tell the truth, it didn’t come as a surprise. © 
My realization of my clairvoyance (and the need to 
completely rewrite my column) couldn’t have come at a 
better time: Just after Microsoft’s announcement, I also 
psychically foretold that reader Robert Singer needed more 
Windows Server 2003 content in our magazine. OK, fine— 
he wrote us a letter about it (see Letters@windowsitpro 
.com, page ]0), but I totally would have guessed it if he 
hadn’t! While we work on adding more Windows Server 
2003 articles, here’s just a taste of content we’ve already 
published that you might have missed: 


“What’s Windows Server 2003?” InstantDoc ID 38027 
“Windows Server 2003 Features,” InstantDoc ID 3 7606 
“Windows 2003: Active Directory Administration 
Essentials,” www.windowsitpro.com/go/ 
Windows2003ADAdministrationEssen tials 

Windows Server 2003 forum, www.windowsitpro.com/ 
go/WindowsServer2003Forum 
“What are the Windows Server 2003 forest modes?” 
InstantDoc ID 41929 

“How can I install a Windows Server 2003 Terminal 
Services licensing server?” InstantDoc ID 49867 
“Understanding Windows Server 2003’s Local Security 
Settings,” InstantDoc ID 41279 

For more resources or for your fortune, email me at 
Christan.Humphries@pe nton.com. 


Christan Humphries 

(christan.humphries@penton.com) is production editor for Windows IT Pro and 
SQL Server Magazine. Although she likes the pretty colors crystal balls make 
when light shines directly on them, she is in no way a bona fide psychic. She is 
also gluten-intolerant and therefore can’t enjoy fortune cookies. 
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KEEP DOWNTIME WHERE 


IT BELONGS: 

OUTSIDE THE OFFICE. 

The HP ProLiant DL380 G5 server comes with Systems Insight 
Manager (SIM) software. HP SIM has shown an average 
reduction in server downtime 1 of 77%, by monitoring your system 
and alerting you of potential server problems before they occur. 

Technology for better business outcomes. 



Xeon' 

inside “ 

Powerful. 

Efficient. 
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HP StorageWorks Ultrium 
448 Tape Drive SAS Bundle 2 


Ships with Data Protector Express Software, 
One Button Disaster Recovery, a 1U 
Rackmount Kit, and a Host Bus Adapter 


Get the full story in the IDC white paper at hp.com/qo/sim41 
or call 1-877-299-8326 


1. IDC White Paper sponsored by HP, Gaining Business Value and ROI with HP Systems Insight Manager, Doc #206761, May 2007. 2. Prices shown are HP Direct prices; reseller and retail prices may vary. Prices shown are subject to 
change and do not include applicable state and local taxes or shipping to recipient’s address. Offers cannot be combined with any other offer or discount and are good while supplies last. All featured offers available in U.S. only. 
Savings based on HP published list price of configure-to-order equivalent ($3207 - $958 instant savings = SmartBuy price $2249). 3. Financing available through Hewlett-Packard Financial Services Company (HPFS) to qualified 
commercial customers in the U.S. and subject to credit approval and execution of standard HPFS documentation. Prices shown are based on a lease 48 months in term with a fair market value purchase option at the end of the term. 
Rates based on an original transaction size between $3,000 and $25,000. Other rates apply for other terms and transaction sizes. Financing available on transactions greater than $349 through April 30, 2008. HPFS reserves the 
right to change or cancel these programs at any time without notice. Intel, the Intel Logo, Xeon and Xeon Inside are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. 
© 2008 Hewlett-Packard Development Company, L.P The information contained herein is subject to change without notice. 



*1649 

Lease for as low as $41/mo 3 for 48 months 
Smart (PN: AG739A) 

• 400GB compressed capacity in half-height 
form factor 



HP ProLiant DL380 G5 


*2249 (Save *958) 

Lease for as low as $56/mo 3 for 48 months 
Chec k hp.com for the most up-to-date pricing 

Smart (PN: 470064-511) 

• Quad-Core Intel® Xeon® Processor 

• 2GB PC2-5300 memory 

• Supports small form factor, high-performance 
SAS or low-cost SATA hard drives 

• Smart Array P400 controller 

• Integrated Lights-Out (iL02), Systems Insight 
Manager, SmartStart 

Get More: 

Smart 24x7, 4 hour response, 3 years 

(PN: UE894E) $689 

Smart Add 2GB additional memory, 

(PN: 397411-S21) $174 















Upgrade to Next-Generation 
Antispam/Antivirus for Exchange . 



Osterman Research: "Half Hie admin time!" 



AWARDS 


2007 

WINNER 

Honored in the U.S. 
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CHOICE 

2006 



Meet Sunbelt Ninja Email Security: The award-winning all-in-one, best-of-breed, 
third-generation email security solution. Ninja is a plug-in framework that 
integrates best-of-breed antispam, antivirus, disclaimers and SMART attachment 
filtering on your Exchange server. 

Half the admin time: Independent research shows that Ninja requires one-half the IT 
time to manage than other comparable email management systems.* With its MMC 
interface, Ninja is easy to manage so you can get up and running in minutes vs. hours. 

Better multi-engine spam detection: 

Ninjas filtering decimates junk mail and 
image spam with both Cloudmark (which 
includes antiphishing) and Sunbelts own 
heuristics-based iHateSpam engines. Of 
course, it also supports RBLs and SPE 

Integrated multi-engine antivirus: Ninja 

combines the power of multiple 
high-quality AV engines. 

Great end-user control: The policy-based 
plug-in architecture allows you powerful, 
granular control. You can finally rule with 
an iron fist. 



SMART attachment filtering: Ninja features the first flexible policy-based attachment 
filter that isn’t fooled by extensions. It looks inside files to determine their true identity. 
Your policies decide what happens to all attachments. 


Download your evaluation copy at: 

www.sunbeltsoftware.com/ninjawinb 



Sunbelt Software 


Email sales@sunbeltsoftware.com or call 888-688-8457 
for your 50% discount competitive upgrade quote 


Sunbelt Software Tel: 1-888-688-8457 or 1-727-562-0101 Fax:1-727-562-5199 www.sunbeltsoftware.com sales@sunbeltsoftware.com 

The competitive upgrade is based on 50% of Ninja list price. 

© 2007-2008 Sunbelt Software. All rights reserved. Ninja Email Security and Suspicious Mail Attachment Removal Technology are trademarks of Sunbelt Software. All trademarks used are owned by their respective companies. 
*Based on Osterman Research report "Comparing Email Management Systems that Protect Against Spam, Viruses, Malware and Phishing Attacks". December 2006. 


























IT Pro Perspective 


The Next l Vave of Microsoft Virtualization 

A rumored handheld management interface 


W hen Microsoft bought a virtualization soft¬ 
ware company called Connectix back in 
2002, virtualization was considered a mar¬ 
ginally interesting technology for Windows. Within Micro¬ 
soft, virtualization was thought to have limited use, only 
for areas such as test environments. Significantly, when 
Microsoft rereleased the Connectix products as Virtual 
Server and Virtual PC, the company ceased supporting 
one of Connectix's most attractive features—the ability 
to virtualize Linux. Today, the company has decided that 
virtualization, together with interoperability, is the key 
to Windows' future market dominance. Now, Microsoft 
sees the future of virtualization as a competitive edge. 
The radical swing is that Windows is being positioned as 
the platform for open-source solutions. You want to run 
Linux? Great! Run it on Windows Server 2008 Hyper-V! 

Watching Microsoft's enthusiasm for virtualization 
evolve, I began investigating virtualization's spread to vari¬ 
ous Microsoft products. In this April issue, I disclose little- 
known plans for the future of Microsoft virtualization. 

Xbox Server 2009 

Windows IT Pro readers have long been using the Xbox 
console as a Web server and as a Squid proxy server. (See 
"The website is down because someone removed the 
Xbox," www.windowsitpro.com, InstantDoc ID 50428.) 

Logically, Microsoft is now seriously evaluating Xbox 
for IT. As a platform company, Microsoft is integrating 
its entire product line to make IT dynamic. I've obtained 
exclusive substantiation that Microsoft will soon announce 
Xbox Server 2009, formerly code named DiskEater. 

Xbox Server will be available in 27 versions, ranging 
from Essential Basic Limited Edition to Business Special 
Deluxe Ultimate Extended Edition. Xbox Server 2009 
Essential Ultimate Extra Add-Ons will be downloadable 
from Xbox Live. 

Sources inside Microsoft confirm that a stealth test lab 
is operating in Building 10. This skunkworlcs lab is explor¬ 
ing the use of rack-mounted and virtualized Xbox Server 
machines for corporate networks. 

Manageability is a key focus. One Microsoft IT admin¬ 
istrator was overheard saying, "Xbox Server's flashing red 
ring of indicator lights is a great feature! It's much easier to 
spot hardware problems in the server room. The burning 
red ring of fire grabs your attention much faster than the 
old blue screen of death." 

Remote Management 

The most significant revelation is that Xbox Server 
offers surprising new virtualization and interoperability 
features. For example, to alleviate the frustration that IT 


staff experience when a server crashes, Microsoft will 
announce an Xbox Server virtualization layer, which cor¬ 
responds to Server 2008 Hyper-Y Branded as Hyper-Wii, 
this virtualization solution allows interoperability with a 
competitor's hardware to enable development of an inno¬ 
vative (and fun!) remote management handheld device. It 
will be branded as Hyper-Wii Remote. 

"We're super proud of Hyper-Wii Remote," said Micro¬ 
soft Product Manager Mario (who asked us not to use his 
last name). "Hyper-Wii Remote is the ultimate user inter¬ 
face for simplifying management tasks. It gives a whole 
new meaning to 'point and click' administration." 

Microsoft is field testing this new handheld controller 
for managing servers, and participants in the Community 
Technology Preview (CTP) program are enthusiastic. So 
if you see an IT guy in the glass room waving his arms 
around, jumping, and shouting, don't assume he's upset 
about a crashed server. 

Inside Microsoft IT, an early adopter, who has been 
dogfooding Hyper-Wii Remote, notes, "I've lost 10 pounds 
and significantly improved both my golf and bowling 
skills since I started using the Hyper-Wii Remote man¬ 
agement tool. And my servers have never been so well 
maintained." 

When It’s Ready! 

Responding to rumors of a possible delay in the launch 
of Hyper-Wii, a testy Microsoft spokesperson said, "We 
haven't even acknowledged the existence of DiskEater—I 
mean Xbox Server 2009! How can you claim it's delayed? 
It's NOT delayed! The word 'delay' has many connota¬ 
tions. Besides, we never announced a date for availability. 
I've seen irresponsible rumors in the press, claiming 
Hyper-Wii would be available within 180 days of Xbox 
Server 2009's release, but Microsoft has not confirmed 
those rumors. Anyway, we really only care about quality. 
Hyper-Wii will ship when customers tell us it's ready!" 

While refusing to comment on future product direc¬ 
tions, a Microsoft spokesperson told me the company is 
exploring a future desktop virtualization solution with 
a handheld interface. Could this be a reference to the 
rumored Windows Wiista release? 

Competition 

Not to be overshadowed by Microsoft's efforts to dominate 
the virtualization space, competitors are hard at work on 
their own versions of Hyper-Wii. I've talked to many users 
who are fans of a more sophisticated virtualization tech¬ 
nology already in advanced stages. This solution report¬ 
edly comes from a company called WiiMware. ^ 

InstantDoc ID 98293 
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letters@windowsitpro.com 


EDITOR’S 

NOTE 

Windows IT Pro welcomes feedback 
about the magazine. Send comments 
t o letters@windowsitpro.com, and 
include your full name, email address, 
and daytime phone number. We edit 
all letters and replies for style, length, 
and clarity. 


Vista UAC 
Workaround 

Michael Otey mentions the 
annoyance of frequent User 
Accounts Control (UAC) 
prompting in his Top 10 
column ("Windows Vista 
Annoyances," January 2008, 
InstantDoc I D 97490) . I share 
his pain. However, I've found 
an interesting fix for the UAC 
problem. 

The reason for all the 
prompting is that the appli¬ 
cation in question is being 
started by the desktop shell 
(explorer.exe). Winlogon.exe 
starts explorer.exe as a non- 
administrative process. If you 
can get explorer.exe to run as 
an administrative process, any 
application that it starts won't 
get the UAC prompt. One solu¬ 
tion is to create a file named 
ElevateExplorer.cmd with the 
following two lines: 

taskkiLL /F /IM explorer.exe 
start C:\Windows\explorer.exe 



Then, create a shortcut icon 
on your desktop to execute 
ElevateExplorer.cmd, and set 
its properties to make it run in 
the context of an administra¬ 
tor. Now, each time you log on, 
double-click the ElevateEx- 

plorer icon. Of course, 
the invocation of 
ElevateExplorer. cmd 
will cause a UAC 
prompt. However, 
once ElevateEx¬ 
plorer.cmd is fin¬ 
ished running, it 
will have killed the 
copy of explorer, 
exe that was run¬ 
ning as a non¬ 
administrator 
and will have 
started a new explorer.exe 
instance, which will now be 
running as an administrator. 

Using this method, all the 
applications that you start 


from either the desktop, Start 
menu, or task bar will run as 
an administrator—with no 
UAC prompt. This state stays 
in effect until you log off. If you 
want to revert back to the nor¬ 
mal mode, just log off and log 
on again. 

—Ron Wright 

PowerShell’s 

Virtues 

I read Robert Sheldon's "Power- 
Shell 101, Lesson 1" (February 
2008, InstantDoc I D 97742) , 
and I think it's great that Win¬ 
dows IT Pro is bringing the vir¬ 
tues of Microsoft's PowerShell 
to light. I'm an Oracle DBA 
who just finished migrating to 
Windows. In my former UNIX 
environment, I used scripting 
heavily because it was both 
a time saver and a necessity 
when scheduling tasks via 
CRON. I do rely on GUI tools 
to some extent, but I still prefer 
the speed and simplicity of 
scripts. 

PowerShell is now a key 
part of my migration method¬ 
ology. The ease of scripting at 
an object level along with the 
plethora of cmdlets gave me 
the opportunity to develop 
and implement new tools 
for my environment that are 
far more powerful and flex¬ 
ible than anything I had with 
UNIX. Combining PowerShell 
with Oracle's command-line 
tools has let me create SQL 
and RMAN scripts on-the-fly 
to perform reporting, main¬ 
tenance, service monitoring, 
and backup tasks quickly and 
easily. Drop your batch scripts, 
and move to PowerShell. It 
truly rocks! 

—Stephen Morgan 

We appreciate your feedback, 
Stephen. Stay tuned as Robert 
Sheldon continues his series 
of six PowerShell 101 articles. 


We’re in IT with You 


You can tackle Lesson 3 in this 
issue, page 39. And Robert has 
already begun writing a Power- 
Shell 201 series! 

—Amy Eisenberg 

Too Much Server 
2008 and Vista 

I love your magazine, but lately 
it seems you're covering only 
Windows Server 2008 and 
Windows Vista. These are cool 
products, but how much of 
your reader base actually plans 
to install/use them in the next 
few months? Shouldn't you 
dedicate some pages to exist¬ 
ing software such as Windows 
Server 2003 and Exchange 
Server? I need articles that 
can help me with my current 
environment. 

—Robert Singer 

Thank you for writing. You've 
touched on one of the most dif¬ 
ficult parts of our job as editors. 
In every issue, we try to balance 
coverage of new technology 
with solutions you can imple¬ 
ment today. At the same time, 
we want to include both novice 
and advanced topics and topics 
that are appropriate to small, 
medium, and large IT environ¬ 
ments. Incidentally, when we 
surveyed our readers in Septem¬ 
ber 2007, 14 percent of survey 
respondents had installed 
the Server 2008 beta at their 
workplace. Nearly 40 percent of 
survey respondents noted that 
they planned to migrate to the 
new server OS within a year of 
its release. That said, feedback 
from readers like you is crucial 
to us meeting your needs. Please 
write to me at letters@windows 
itpro.com and tell me what 
you'd like to see! If you prefer to 
make your comments online, 
we do review the feedback we 
receive on every article. ^ 

—Amy Eisenberg 
InstantDoc ID 98306 
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What You Need to Know About... 

Windows Home Server 


W indows Home Server (WHS) isn't going to 
solve any enterprise issues in 2008. But it 
does point the way to the next Small Busi¬ 
ness Server, with new technologies that could benefit 
various server products. WHS is also a surprisingly good 
solution for small businesses in its own right. Here's 
what you need to know about Windows Home Server. 

What WHS Is 

WHS is a server system for homes, as the name implies. 
It's designed to be sold in preconfigured home server 
hardware—essentially low-end PC server hardware, 
though many WHS OEMs, such as HP, have cre¬ 
ated some stunning and environmentally quiet (and 
thus appliance-like) designs that are particularly well 
adapted to the home market. Based on Windows Server 
2003, WHS provides a simplified UI, a plug-and-play 
design, and key consumer-oriented features centered on 
backup, media sharing, and remote access. 

WHS isn't designed to be accessed interactively in 
front of the server box. Most WHS hardware doesn't 
even include a monitor port. Instead, WHS is typically 
accessed via a special remote console, which is installed 
on each PC that you link with the server. You can control 
all applicable WHS features from this console. 

WHS Key Features 

Windows Home Server provides several key features. 
These include the following: 

Innovative storage scheme. Perhaps the most fasci¬ 
nating feature in WHS is how it handles storage. Under 
the covers, WHS utilizes the same drive letter-based 
storage system used by all Windows servers. But to the 
user, the storage connected to a WHS server is a single 
pool. As you add hard drives to the system—either inter¬ 
nally or externally—you can add their capacities to your 
overall storage pool. In this way, WHS is almost infinitely 
expandable from a storage perspective, with none of the 
usual complexities and overhead typical of the storage 
market. 

The WHS storage pool is split between the needs 
of the system (which are small), PC backups, shared 
folders, and duplication. That's right, WHS also lets you 
arbitrarily assign data duplication on individual shared 
folders. 

An interesting side effect to this system is that WHS 
makes it very easy to remove existing storage, for exam¬ 
ple to replace it with a higher-capacity alternative. You'll 
need enough free space on your other attached storage 


devices to make this possible, but it's a nice touch. 

Centralized PC backup and restore. All PCs that 
are connected to WHS are backed up to the server on a 
nightly basis. The initial backup is a full backup, while 
later backups are incremental. WHS also provides an 
efficient way to navigate into backup sets and pull out 
individual files and folders. So rather than restore your 
PC to a certain point in time to recover an important file, 
you can now grab just that file. 

PC and server health monitoring. WHS monitors its 
own health as well as the health of all connected PCs. PC 
security and backup states, as well as other crucial data, 
is communicated to connected PCs via a tray-based 
notification icon. 

Media and document sharing. WHS provides stan¬ 
dard small-to-midsized business (SMB)-based file¬ 
sharing facilities, so you can easily share particular 
folders and their contents and set permissions as 
required. WHS also functions as a Windows Media Con¬ 
nect client, so you can seamlessly share media files like 
music, photos, and video over the home network with 


What You Need to Know About... 

WGA Changes in 
Windows Vista SP1 

W hile Windows Vista SP1 has been a known quantity since Sep¬ 
tember 2007, Microsoft made a final change to this service pack 
at the last moment that will affect many customers. Responding 
to complaints about the way Windows Genuine Advantage (WGA) works in 
Vista, the company has changed how the antipiracy technology works, begin¬ 
ning with SP1. Now, WGA in Vista will function in a similar fashion to WGA in 
XP. Here's what you need to know about the WGA changes in Vista SP1. 

What is WGA? 

WGA is an antipiracy technology that Microsoft first implemented with XP in 
2001. Similar in motive to Windows Product Activation (WPA), which ensures 
that each copy of Windows is installed only once, WGA raises its ugly head in 
other situations. You'll encounter it if you allow an unactivated copy of Win¬ 
dows to reach the activation timeout limit, or, after activation, when connect¬ 
ing to Microsoft's Web site to download software updates. In this second case, 
WGA determines whether the copy of Windows is legitimate or illegitimate by 
examining your system's product key, hard drive serial number, PC BIOS, and 
other information. In some cases, legitimate copies of Windows have been 
flagged as illegitimate by WGA, causing headaches for users, who have been 



Paul Thurrott 

(thurrott@windowsitpro 
.com) is the news editor 
for Windows IT Pro. He 
writes a weekly edito¬ 
rial for Windows IT Pro 
UPDATE (www.windows 
itpro.com/email) and a 

daily Windows news and 
information newsletter 
called Winlnfo Daily 
UPDATE (www.winin 
formant.com). 


www.windowsitpro.com 


We’re in IT with You 


Windows IT Pro APRIL 2008 13 











Need to Know 


forced to manually try to re-validate their systems or contact Microsoft support. For this and 
other reasons, hackers have been racing to circumvent Vista's WGA in various ways. 

How WGA Used to Work in Vista 

In the original shipping version of Vista, WGA is very aggressive. In instances where the prod¬ 
uct activation period has expired, Vista switches into something called Reduced Functional¬ 
ity Mode (RFM), where the user can access only Microsoft Internet Explorer (IE) and then 
only for 60 minutes at a time; at the 60-minute mark, the user is automatically logged out. In 
RFM, users can also boot into Safe Mode to access documents, perform certain housekeep¬ 
ing tasks, and retrieve important data from a system that will need to be reinstalled. Or, they 
can use IE to navigate to Microsoft's Web site to obtain a legal copy of Vista. 

If an activated version of Vista fails a validation check while attempting to download a 
software update of some kind, Vista will switch into a second special functional mode called 
Non-Genuine State (NGS). NGS can occur if a user makes an unusual number of hardware 
changes to a system in a short time, causing Windows to believe it has been installed on 
an entirely different PC. While in this state, certain Vista features—Windows Aero and 
Windows ReadyBoost—are completely disabled, while other, security-oriented features— 
Windows Update and Windows Defender—work in limited ways only. Windows Update, 
for example, will let you download only critical security fixes, while Windows Defender will 
remove only the most dangerous spyware from your system. 

How WGA Works in SP1 

After SP1 is installed on a Vista system, RFM and NGS are disabled. Instead, WGA triggers a 
notifications-based UI that's very similar to how WGA worked in XP. Users will immediately 
notice several changes while running a non-activated or non-validated version ofVista SP1. 
First, a pop-up dialog box appears over the logon screen which can't be dismissed for 15 
seconds; this dialog box warns about the non-activated or non-validated state and provides 
a button the user can click to rectify the problem. 

Second, after the user logs on, several interruptions will occur every hour: The system 
wallpaper or background will revert to a plain black color, an activation dialog box will flash 
in the center of the screen, and a yellow Help balloon will appear by the system tray. Each of 
these notifications can be dismissed and the wallpaper or background changed back. But 
the same thing will happen again every hour. 

Under the covers, there's another change: Microsoft has implemented code in WGA for 
SP1 that disables two of the most common exploits that bypassed activation in the initial 
shipping version ofVista. The first is a grace timer hack that resets the activation grace period 
out a number of years (in one version of the hack, all the way to 2099). The second is an OEM 
BIOS hack that intercepts WGA calls to the system BIOS, preventing WGA from accurately 
determining which hardware changes have been made to the system. Users who are utilizing 
either of these hacks and install Vista SP1 will have an interesting experience: Their PCs will 
suddenly enter a grace period countdown after SP1 is up and running and work as Microsoft 
intended. After the grace period expires, they will be presented with the new WGA behavior 
unless they successfully activate the system. The big change is that Vista doesn't remove 
any functionality if WGA determines that your system has become non-activated or non- 
validated—other than the hourly interruption of a black screen, which is surprisingly subtle 
and not as annoying as it sounds. Vista SP1 otherwise works normally and to full capacity. 

Recommendations 

Microsoft's changes to WGA are a huge improvement over the initial shipping version of 
Vista and should make Vista more attractive to businesses of all sizes. The issue here isn't 
so much piracy. There have been too many instances over the past year where WGA incor¬ 
rectly flagged legitimate Vista systems as illegitimate. The only solution to this problem is for 
Microsoft to drop WGA entirely. But since that's not going to happen, this change is welcome, 
if overdue. Vista SP1, overall, remains highly recommended: This is an update that all Vista 
users should install as soon as possible. ^ 


other PCs and compatible devices, such as 
the Xbox 360. 

Remote access. WHS lets you access the 
contents of your home server and, in many 
cases, your connected PCs, via the Internet. 
This is handy for anyone who travels and 
needs to access files at home or would like to 
back up photos and other files to the home 
network while away. Remote access to the 
server occurs via a nice Web interface and 
even comes with a free Web URL (usually 
something.homeserver.com). But you can 
also access WHS and any PCs based on Win¬ 
dows XP Professional, Windows XP Media 
Center Edition 2005, or Windows XP Tablet 
PC Edition 2005 SP2, or Windows Vista 
Business, Enterprise, or Ultimate on your 
home network remotely using a standard 
browser-based remote desktop interface. 
(Other popular versions of Windows, such 
as Windows XP Home and Windows Vista 
Home Premium, aren't supported because 
these products don't include the required 
Remote Desktop features.) 

To get remote access working prop¬ 
erly, you'll need a Universal Plug and Play 
(UPnP)-based router and an ISP that doesn't 
block certain types of network traffic such as 
RDP. This remote access feature is pretty 
impressive, given that many companies 
offer similar functionality for an annual fee. 
With WHS, it's free. 

Recommendations 

WHS sounds impressive, and it is, but you 
might be wondering what effect this product 
could possibly have on your business. In the 
short term, WHS benefits the smallest of 
businesses that are looking for centralized 
backup, file sharing, and remote access- 
features that WHS delivers with simplicity, 
ease, and no need for an IT department or 
service provider. WHS isn't compatible with 
Active Directory, however, and it can't scale 
above ten connected PCs, so it won't be of 
interest to many SMBs. Looking forward, it's 
obvious that several WHS features will also 
appear on the next version of Small Business 
Server as well as other related products. The 
storage capabilities in WHS, which were 
developed by Microsoft specifically for this 
product, should be particularly attractive to 
many business users. WHS is well-suited for 
homes and for small businesses with limited 
technical capabilities. ^ 
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An Alternative to 
Windows Vista 

My company's Windows 2000 
Professional (Win2K Pro) 
machines are nearing the end 
of their usefulness, so I know we 
have to migrate soon. However, 
after hearing about all the prob¬ 
lems everyone has been having 
with Windows Vista, I haven't 
been looking forward to it. I 
thought that Vista was our only 
option—that is, until I did some 
research. 

I had read that the first ser¬ 
vice pack for Vista was released 
for manufacturing ("It's Official: 
Windows Vista SP1, 2008 Head 
to Manufacturing," InstantDoc 
I D 98196) , so I went online to 
find more information about 
it. I was hoping I could at least 
migrate right to Vista SP1, 
thereby avoiding some of the 
problems my sys admin friends 
were facing. My search, though, 
revealed something totally 
unexpected. By sheer hap¬ 
penstance, I stumbled across a 
nonpublicized announcement 
few people know about. 

Following the lead of the 
Coca-Cola Company, Microsoft 
has announced it will again 
offer Windows XP, under the 
name of "Windows XP Classic." 
(For those of you too young 
to remember, back in April 
1985, the Coca-Cola Company 
released a new formula for its 
mainstay product. There was 
such a backlash that by July of 
that year, the company started 
selling its old formula again 
under the name of Coca-Cola 
Classic.) 

Apparently, the cries of dis¬ 
contentment with Vista haven't 
reached deaf ears. So, despite 
the release of Vista SP1, I'm 
going to wait for "Windows XP 
Classic." 

—Ima April Fool, systems 
administrator, NoSuch Company 

InstantDoc ID 98156 


Properly 
Compiling and 
Storing a Product 
Key List Is Well 
Worth the Effort 

If you support Microsoft 
products that aren't volume-li¬ 
censed, chances are that some¬ 
where you have a long list of 
the Microsoft product keys you 
use to install those products. 
This important list is extremely 
vulnerable to errors. You might 
have misread characters when 
you added the keys to the list. 
You might have read the key 
correctly but then mistyped or 
miswrote it. Or you might have 
trouble reading your list due 
to document age or bad hand¬ 
writing. 

Product keys consist of 
25 alphanumeric characters 
formatted in groups of five 
characters, which are separated 
by hyphens. Although I haven't 
been able to find any documen¬ 
tation detailing which characters 
are used, it isn't that difficult to 
determine. Based on my analysis 
of 160 product keys from 2002 
forward, it looks like Microsoft 
uses the following 24 characters, 
which appear to be generated as 
truly random sequences: 

2346789BCDFGHJKMPQRTVWXY 

Remembering this set is much 
easier if you look at the 12 
unused characters out of the 36 
possible alphanumeric symbols: 

015 AEI0U LNSZ 

The first set of characters is the 
numerals 0,1, and 5. The rea¬ 
sons for avoiding them might 
be fairly obvious if you've dealt 
with lists of keys before: 0,1, and 
5 are all easy to confuse with 
various letters (e.g., the numeral 
0 with the letter O), particularly 
when handwritten. 

The second set of unused 
characters—A, E, I, O, and 
U—are vowels. Although some 


of these can be confused with 
other characters, it seems more 
likely that these are eliminated 
intentionally to avoid pro¬ 
ducing sequences that look 
like words. Not using vowels 
doesn't really enhance the 
security of a particular product 
key, but it does eliminate the 
possibility that a truly random 
key generation scheme will 
produce sequences that look 
offensive to particular users. 

The final set of unused 
characters—L, N, S, and Z—can 
be easily misread. A lowercase 1 
can be misread as the numeral 
1 or the uppercase I. A lower¬ 
case nn can be misread as a 
lowercase m. The letter S can 
be misread as a numeral 5, and 
the letter Z can be misread as 
the numeral 2. 

Now let's talk about some of 
the basic common-sense tricks 
you can use to help keep your 
product key lists usable and 
safe. To make your product key 
lists usable, you should: 

• Record before installing. You 
should make it a habit to 
record a product's key before 
you install the product, then 
perform the installation 
using the key you copied. 

This ensures that your copied 
product key is correct. If you 
made a mistake, you should 
still have the original key at 
hand for correction. 

• Include the hyphens when 
recording. You should include 
the hyphens in the product 
keys when recording them. 
Not only does this make it 
easier to read the codes back, 
but it also provides you with a 
way of finding simple errors. 
Consider the following two 
ways someone might make 
the same mistake reading or 
recording a product key: 

23w46789bhcdfgj kmpqrtwxy 
23w4-6789b-hcdfg-j kmpq-rtwxy 
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Both are identical, except 
the first one doesn't break 
down the product key into its 
five-character sets. There is 
no obvious way to determine 
where the problem is in the 
first example. In the second 
example, a quick inspection 
tells you that the first five- 
character sequence is missing 
a character, making it fairly 
easy to guess that the letter w 
might really be two consecu¬ 
tive Vs (w). 

• Be careful with easily confused 
characters and use uppercase 
letters. Most people are a 
little sloppy with handwrit¬ 
ing, making it easy to con¬ 
fuse some characters. For 
example, B and 8 are easily 
confused when not written 
carefully. You also might want 
to stick with uppercase letters 
when recording product keys. 
Several lowercase letters in 
the product key character set 
are easy to confuse, such as g 
and q, and/and t. 

• Enlarge. If you're handwrit¬ 
ing product keys, write large. 

If you have a typed list that 
you print out, use a large 
font. If you simply photocopy 
keys on licenses (handy for 
keeping them with license 
information), use the photo¬ 
copier's enlargement feature. 
Enlarging only takes an extra 
second and makes your cop¬ 
ies much easier to read and 
less likely to be made illegible 
if they are copied again later. 

After you've created your 
product key list, you need to 
make sure it's securely stored. 
Because key use is tracked by 
Microsoft during activation, if 
your keys are accessible to people 
who misuse them, your products 
could eventually be impossible 
to activate during installation or 
patch updates. Here are a few 
points to consider: 

18 Windows IT Pro APRIL 2008 


• Treat the keys as confiden¬ 
tial information, much like 
passwords. Make sure the 
lists are always protected and 
accessible to as few people as 
possible. If they're stored in a 
network-accessible location, 
ensure that the permissions in 
the file or database are limited 
to only IT staff responsible for 
performing machine installa¬ 
tions. You might also want to 
audit access. 

• If you're an IT support ser¬ 
vice provider, your clients 
might expect you 
to maintain their 
keys. The most 
secure way to han¬ 
dle this is to have 
the keys stored on 
the clients' sites 
(not your site) 
and make sure the 
clients are aware 
that they have 
ultimate responsi¬ 
bility for the keys. 

If this isn't feasible 
(a small client organization 
might be too disorganized to 
do this properly), you might 
need to store the keys for 
the client, but again restrict 
access to only those people 
who need to perform instal¬ 
lations for that particular 
client. 

• If at all possible, perform 
product setups in batch. This 
minimizes how frequently 
you need to open the key list, 
which can expose it to over- 
the-shoulder copying. 

—Alex K. Angelopoulos, senior 

network engineer 
InstantDoc I D 98269 

Open a Command 
Prompt Window 
While Installing 
Windows 

Sometimes when you're 
installing Windows, you might 
need to perform a minor task 

We're 


(e.g., check the available 
disk space) or a more impor¬ 
tant one (e.g., search all disks 
for a driver's .sys file). You 
might think that performing 
such tasks while Windows is 
installing is impossible, but 
that's not the case. What 
many people don't realize is 
that you can access a com¬ 
mand prompt window while 
installing Windows. All you 
have to do is press Shift+F10 
when you reach the Installing 
Windows phase. This trick 
works with 
Windows 
Server 2008, 
Windows 
Vista, Win¬ 
dows Server 
2003, and 
Windows XP. 

Being able 
to access the 
command 
prompt 
window dur¬ 
ing instal¬ 
lation can be a godsend. For 
example, one time Windows 
prompted me for a driver's .dll 
file during installation, but I 
couldn't remember where that 
file was stored on my disks. 
Clicking Browse would've 
been a hassle because I 
would've had to look through 
all the folders and subfolders 
to find the .dll file. Instead, 
all I did was press Shift+FlO 
and run a Find command to 
discover exactly where the file 
was located. 

—Apostolos Fotakelis, systems 
administrator, NATO, and 
freelance IT consultant 

InstantDoc I D 98267 

Another Way to 
Quickly Copy File 
Paths 

In the Reader to Reader article 
"Hidden Option, Free Utility 
Can Be Real Time-Savers 

in IT with You 



If You Copy File Paths 
Often'' (November 2007, 
InstantDoc I D 95953) , Alex K. 
Angelopoulos shows how to 
use Windows Vista's Copy as 
Path option and Ninotech's 
Path Copy utility to copy 
file paths that appear in 
Windows Explorer. There's 
another way you can copy 
file paths. If you open a 
command prompt window 
and drag and drop a file into 
that window, it will paste the 
full path onto the command 
line. Windows has had this 
feature since Windows NT, 
so Alex could use this file- 
path copying technique on 
pre-Vista machines that don't 
have Path Copy installed. For 
Vista, however, he'll have to 
use the Copy as Path option 
(right-click while pressing 
Shift, then select Copy as 
Path) because Microsoft 
decided to remove this func¬ 
tionality from Vista (and 
probably from Windows Server 
2008 as well). 

Because I do most of my 
work from a command prompt 
window, I rarely open Windows 
Explorer. When I need a Win¬ 
dows Explorer window opened 
pointing to the current direc¬ 
tory in a command prompt 
window, I type 

start . 

I find this to be a lot faster 
than opening My Computer 
and navigating to the folder, 
especially if you use filename 
completion when navigating 
at the command prompt. You 
can also open a specific folder 
by passing the path instead of a 
period. (The period stands for 
the current folder. You can also 
use two consecutive periods to 
stand for the parent folder.) ^ 
—Toby Ovod-Everett 
InstantDoc ID 98268 
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Virtualization 

Operating System 
Virtualization 

Managing an increasingly virtual¬ 
ized IT infrastructure is the focus of 
Parallels Virtuozzo Containers 4.0, a 
container-based server virtualization 
product from Parallels, Inc. According 
to the vendor, Virtuozzo Containers 
4.0 allows IT pros to partition single 
OS installations into scalable virtual 
environments called ‘containers’ that 
can help optimize the use of avail¬ 
able hardware resources. This latest 
release introduces improved backup 


Product Spotlight 


Systems Management 

Automate and Simplify Windows Server 2008 

Microsoft has released Microsoft Robert 2008, a desktop management 
application that helps novice IT pros get up to speed quickly with Windows 
Server 2008. “Windows Server 2008 isn’t the easiest product to use,” 
says Microsoft spokesman S. Ballmor. “We’ve learned a lot about how to 
improve this latest server thing thanks to our intense dogfooding efforts, 
so we decided to productize that knowledge into Microsoft Robert 2008, 
which is our latest uber desktop management application, blah, blah, blah.” 
According to the launch news release, the application seeks out and iso¬ 
lates “cancerous Linux machines” on the network and features helpful 
animated guides that can assist users with overly difficult IT housekeeping 
tasks, such as VM downgrades from ESX Server to Hyper-V, or helping 
Windows Vista Ultimate users find their elusive Ultimate Extras. More than 
a dozen animated guides are included, ranging from Happy Santa (who 
loves to chat on MSN), to Steve Jay (a hip, turtleneck-wearing tech execu¬ 
tive from California that can’t get enough of Windows Vista). According to 
Ballmor, Microsoft Robert 2008 provides a crisp, timely solution to once 
onerous IT tasks. “With this product, our customers won’t have to learn 
about confusing concepts like ‘Group Policy’ and ‘Active Directory’ any¬ 
more—only nerds need to know that stuff anyway.” For more information, 
contact 970-203-2775. 


capabilities, support for Windows 
Server 2003 and Red Hat clustering 


Backup and Recovery 

Real-time Mirroring, Synchronization, 
and Backups on Windows 

RAID-1 capabilities are typically available only in software, which is expensive. Tech- 
soft offers a less expensive alternative with MirrorFolder 4.1, a real-time mirroring and 

synchronization application that backs 
up files from a local Windows drive to 
any local, removable, or network drive. In 
RAID-1 mode, MirrorFolder creates a real¬ 
time, bootable backup of your hard drive 
on another local drive. MirrorFolder works 
on Windows Vista, Windows Server 2003, 
Windows XP, and Windows 2000 Server. 


services. Hardware resources can 
now be optimized in real time, and 
new hardware device for¬ 
warding and device sharing 
features have also been 
added. For more informa¬ 
tion, contact Parallels at 
425-282-6400 or visit 
www.parallels.com. 


For more information, contact Techsoft 
at info@techsoftpl.com or visit www 
.techsoftpl.com 


Storage/ 

Backup and 
Recovery 

Optimize Key DPM 
2007 Tape Archive 
Functions 

FalconStor Software 
announced that it has 
successfully tested all its 

virtual tape library (VTL) 
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New & Improved 


storage solutions with Microsoft Sys¬ 
tem Center Data Protection Manager 
(DPM) 2007 IT storage planners and 
architects can now combine DPM 
2007 with new and existing hetero¬ 
geneous environments by integrating 
FalconStor VTL features with multiple 
backup applications that share tape 
library resources. For more informa¬ 
tion, contact FalconStor at 866-669- 
3252 or visit www 
.falconstor.com. 


Development 

Analyze Source Code 

Fortify Software Inc. has released 
Fortify SCA 5.0, the latest release of 
their source code analysis software. 
Designed to help developers find 
security issues with the programs that 
they develop, Fortify SCA 5.0 also 
introduces a number of new features, 
ranging from a security rules wizard 
to enhanced collaboration functional¬ 
ity that allows teams of developers to 
more easily work together on shared 
projects. Fortify SCA 5.0 supports a 
variety of programming languages, 
including COBOL, JavaScript (Ajax), 
PHP, and classic ASP/VB script. For 
more information, contact Fortify 
Software at 650-358-5600 or visit 
www.fortifysoftware.com. 

Exchange Security 

Protect and Secure Email 

Keeping email secure is the focus of 
PostGuard, a new hosted email secu¬ 
rity service from Sentinare Messaging 
Solutions. According to Sentinare, 
the PostGuard service screens email 
content prior to its arrival at the email 
server. Sentinare’s email data center 
removes spam, viruses and other 
malicious email content, and then 
forwards approved email messages to 
user inboxes. IT pros can also manu¬ 
ally configure blacklists and whitelists, 
which can improve the accuracy of 
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the service. For more information, 
contact Sentinare at info@sentinare 
.com, call 877-727-9786, or visit 
www.sentinare.com. 

Portable Software 

Make Work Environments 
Portable 

Intranet Sdn Bhd has announced 
updated versions of their my.encoder, 
my.backup, my.shredder, and my.zip 
portable software applications. Smar- 
Thumb my.encoder protects files with 
sophisticated encryption; my.backup 
is designed for saving and restoring 
files and applications; my.shredder 
erases files using a secure method 
that makes them difficult to recover; 
and my.zip can be used to compress 
files to a more manageable size. 
SmarThumb applications run on 
Windows Vista, Windows XP and 
Windows 20000. Pricing begins at 
$15.90 for a single license. For more 
information, contact SmarThumb at 
sales@smarthumb.com or visit www 
.smarthumb.com. 

Exchange Archiving 

Search and Secure Email 
for e-discovery 

Lucid8 has released DigiScope 2.0, 
the latest version of their email e-dis¬ 


covery search tool for Microsoft 
Exchange. Key new features of the 
new release include: the ability to 
repair .PST and .EDB files; ability to 
export selected search results in a 
variety of formats; a new physical de- 
duplication feature that eliminate 
redundant search results; and 
improved support for native Outlook 
email, contact and calendar items. 
DigiScope 2.0 also supports 
DigiVault 2.0, Lucid8’s forthcoming 
Continuous Data Protection (CDP) 
product for Microsoft Exchange. For 
more information, contact Lucid8 at 
425-456-8462 or visit www.lucid8 


.com. 




InstantDoc ID 98212 
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Industry Bytes 


Insights from the industry 

Will XP SP3 Slow Your Migration to Vista? 


A s many enterprises begin to consider migrating to Vista, 
recent news has added some drama to an already com¬ 
plex issue. In late November, Devil Mountain Software tested 
pre-release versions of Windows Vista SPI and Windows XP 
SP3 with OfficeBench, a testing script that utilizes Micro¬ 
soft Office to gauge system performance. During their tests, 
Devil Mountain found that Vista SPI offered no performance 
improvements over Vista RC, but discovered that XP SP3 
was more than 10 percent faster than XP SP2. Now here’s 
the important bit: In the same battery of tests, XP SP3 was 
also found to be measurably faster than both Vista RC and 
Vista SPI. 

Microsoft Vista Product Manager Nick White commented 
on the test results, writing in his blog that benchmarks of 
pre-release software aren’t the best indicators of software 


performance, as ongoing development work could invalidate 
any test. “Publishing benchmarks of the performance of Win¬ 
dows Vista SPI now wouldn’t be a worthwhile exercise for our 
customers, as the code is still in development,” said White. 

“Further, tests like these only measure a very small set of Win¬ 
dows capabilities and so aren’t representative of the user’s 
overall day-to-day experience of working with Windows and 
running applications.” 

Director of Devil Mountain Software Randall C. Kennedy 
reacted strongly to the criticism, calling White’s description of his 
testing as a “blatant mischaracterization” and saying that White’s 
criticism was a “Microsoft hit piece ordered from on high.” Ken¬ 
nedy argues that OfficeBench does a more rigorous battery of 
tests than White claims, and asserts that the Devil Mountain 
tests are a good indicator of overall system performance. 

For Microsoft, news of 
XP SP3 faring better in test¬ 
ing than Vista SPI may have 
come at an inopportune time. 
Despite numerous Vista suc¬ 
cess stories, corporate adop¬ 
tion of Vista is lagging behind 
that of Windows XP, and both 
hardware ISVs and consumers 
have pressured Microsoft to 
continue offering Windows XP 
on new computers. 

Most IT administrators 
would agree that performance 
improvements aren’t their only 
concern, and Vista SPI does 
introduce a host of important 
fixes that should improve upon 
the reliability and functional¬ 
ity of Vista. “Any organization 
fence-sitting [and basing their 
migration to Vista] on the 
performance issue won’t get 
what they want...Vista SPI is 
simply slower than XP SP3 at 
a lot of things,” says Kennedy. 

“What Vista SPI does offer is 
improved compatibility, lots of 
bug fixes, and improved reli¬ 
ability. Those are important 
benefits, and may be enough 
for some people to migrate to 
Vista. Improved performance 
[over Windows XP] just isn’t 
one of those benefits.” ^ 
—Jeff James 
InstantDoc ID 97796 
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Extending Active Directory Across 
Multiple Platforms 

S ome machines just don’t die. You know this, especially if you deal with any UNIX or Linux 
systems. And maybe you know some UNIX guys and gals whose motto is: “Mess with my 
UNIX system over my dead body.” Those people are still around, too. But compliance require¬ 
ments are altering their jobs and yours, especially if your IT department manages a heteroge¬ 
neous platform environment. 

Now the word from above is “extend Active Directory to UNIX and Linux systems” or maybe 
the word from above is just “Do it.” Symark Software believes it can help. Its PowerADvantage 
product offers a unified log-in solution that brings Active Directory (AD) centralized authentica¬ 
tion, policy enforcement, and infrastructure management to UNIX and Linux systems. 

PowerADvantage works by setting up an agent on UNIX and Linux machines that talks to 
the AD domain controllers (DCs). During installation of the agent, the UNIX/Linux host joins 
the domain and the host is configured to route authentication requests through the PowerAD¬ 
vantage agent. The agent is then able to communicate with AD DCs and handle authentication 
requests and access the Group Policy Objects (GPOs) needed for configuration management. 

“A lot of UNIX guys aren’t familiar with Windows—we had to make it [the product] UNIX- 
specific,” says Symark product manager Jeff Nielsen. On the other hand, he adds, “The nice 
thing about Group Policy is the template side is in a template language that’s Microsoft and 
simple. On the app side, the user can create in shell script. A UNIX guy can feel comfortable.” 

Symark approaches identity management from the UNIX security side. “Our big customers 
asked us to get into this [extension of AD],” Nielsen says. A lot of their customer companies feel 
the pain of dealing with identity management in this age of auditing and compliance, he says. 
“Some have LDAP directories and AD was separate and on top of that they had a global direc¬ 
tory. As soon as you have a number of UNIX machines and Windows machines to manage, you 
need help—three UNIX machines you can manage; five to 30,000 UNIX machines require this 
product to keep configurations straight.” The enterprise as well as small-to-midsized businesses 
(SMBs) find the product appealing, he adds. 

Symark also adds solutions to use in tandem with PowerADvantage: PowerBroker provides 
protection for the UNIX root account, which AD cannot, and PowerKeeper holds passwords for 
crucial accounts. 

—Caroline Marwitz 
InstantDoc ID 97884 
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Lenovo ThinkPad x6l 



I ’ve just spent a month playing around 
with Lenovo’s latest ultraportable 
laptop computer, the ThinkPad X6I— a 
sturdy little powerhouse that boasts 
a low-voltage 2GHz Intel Core 2 Duo 
processor, 2GB or RAM, and a IOOGB, 
7200rpm hard disk. Weighing in at about 
3 pounds, the ThinkPad X6I is definitely 
a godsend for the frequent traveler, and 
it’s undeniably powerful for its size. It’s 
about 10.5" wide, a little over 8" tall, and 
the case thickness varies from a bit less 
than an inch to a still-respectable 1.39" 
at its widest point. But the unit lacks cer¬ 
tain important features, giving it an oddly 
old-school feel. 

Let’s start with first impressions. 
Opening up the laptop, I was struck 
by its build quality. This is a well-con¬ 
structed machine with a nice fit and 
finish. Next, I noticed that Lenovo has 
opted against using a widescreen (16x9) 
display, instead reverting to an old- 
school 12.1" display with a standard 4x3 
aspect ratio. I can’t help but feel a bit 
disappointed by this choice, having come 
to love the widescreen ratio on my other 
systems. That being said, I know some 
users who prefer the standard ratio for 
business use and save the widescreen 
presentation for their home media. (Any¬ 
way, the built-in speakers are nothing to 
crow about.) As it stands, the ThinkPad 
X6l’s display is vivid, performing better 


in bright-light scenarios than other ultra¬ 
portables I’ve seen. 

How about the keyboard? Another 
first impression is that Lenovo is still 
using its red TrackPoint pointing stick in 
the center of the keyboard. Here, I must 
admit to another personal bias: I can’t 
stand pointing sticks. (The ThinkPad 
offers no touch pad—a far more prefer¬ 
able navigation device, in my mind.) 
Three mouse buttons underneath the 
keyboard provide left-click, right-click, 
and scroll functionality. Even after a 
month, I found this setup decidedly 
frustrating and antiquated. However, 
once I got past my own bias, I could see 
that the ThinkPad boasts nice, large 
keys that invite more comfortable typ¬ 
ing than most ultraportable keyboards. 
Pay special attention to the ThinkVan- 
tage button just beneath the screen: 
Pressing it brings up the ThinkVantage 
Productivity Center, a terrific resource 
to help you with system maintenance. 
There’s also some new gadgetry on 
the ThinkPad X6I that might increase 
your interest: For example, a fingerprint 
reader just to the right of the mouse 
buttons lets you securely log on, and a 
button on the bottom lets you disable 
the Wi-Fi radio. 

The ThinkPad X6I offers basic con¬ 
nectivity ports and inputs, 
including an expansion bus 
(for the UltraBase or an 
extended battery), three 
USB 2.0 ports, a 1394 port, 
an external display adapter 
connector, audio and Ethernet 
ports, as well as the expected 
AC adapter plugs and RJ-II 
modem port. As I stated earlier, 
it lacks a built-in optical drive. My 
test device included the optional 

X6 UltraBase dock, which contains 
a DVD/CD-RW burner, as well as a 
number of additional business-connec¬ 
tivity inputs and ports. 

The ThinkPad X6I I tested ran Win¬ 
dows Vista Business, and I found its 
performance to be generally pleasing. 

I didn’t notice a huge speed boost with 
the Core Duo processor, but I found it 
to be a step forward in all tasks: Bootup 


SUMMARY 


Lenovo ThinkPad X6I 

Impressive CPU speed and solid, 
quality construction; vivid LCD display; 
may not be the lightest portable laptop, but 
features an impressive array of ports and 
interfaces 

Lack of an integrated optical drive 
may limit usability for some users; the inte¬ 
grated pointing device can be difficult to use 
for those not accustomed to using it 

♦♦♦♦O 

$l,500-$2,500 

The ThinkPad 

X6I comes with its share of idiosyncrasies— 
including old-school full-frame display and a 
dreaded pointing stick—but I have to recom¬ 
mend the unit for its dual-core power and 
extreme portability. Road warriors will love it. 

Lenovo • 866-96-THINK • 
www.lenovo.com 


seemed average, but Internet activity 
was impressive if not startling. After div¬ 
ing into some multitasking, I could clearly 
experience the benefit of the processor: 
There was no lag switching quickly from 
app to app. Probably the ThinkPad X6l’s 
greatest competitive advantage is its 
dual-core performance in such a travel- 
friendly package. 

As always, I recommend investing in 
the longer-life battery. My test unit came 
with a larger, higher-capacity battery that 
gave the ThinkPad X6I an impressive 
battery life of more than five hours, in my 
tests. Also as always, that larger battery 
increased the weight, size, and price of 
the laptop itself, so be aware of those 
tradeoffs. The bigger battery is certainly 
a necessary upgrade, though. 

The ThinkPad X6I isn’t the smallest 
of lightest ultraportable available, and I 
found its general usability to be some¬ 
what lacking (from my admittedly biased 
point of view). But I can’t deny its dual¬ 
core power or its extreme portability. 

This is a comfortable device for the road 
warrior—as long as you can get past its 
idiosyncrasies. ^ 

InstantDoc I D 98202 
—Jason Bovberg 
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Review 


SteelEye Technology LifeKeeper Protection 
Suite for Windows 

Editor’s Note: To read the full-length version of this review, go to www.windowsitpro 
.com and enter InstantDoc ID 98129. 


L ifeKeeper Protection Suite for 
Windows 6.1.2 (LPSW) combines 
two SteelEye Technology products: 
SteelEye Data Replication (SDR) volume 
replication support and LifeKeeper for 
Windows high availability. Though bun¬ 
dled together, they install as separate 
services, have separate documentation, 
and separate management interfaces. 
Administration is somewhat integrated, 
as LifeKeeper automatically configures 
SDR when you configure a failover 
scenario that requires it. Key features 
include block-oriented synchronous 
or asynchronous volume replication, 
a variety of failover modes supporting 
shared or replicated storage on both 
physical and virtual servers, and a new 
continuous data protection (CDP) func¬ 
tion within the recovery feature set. 

A LifeKeeper cluster consists of 
two or more interconnected servers. 

A cluster can include servers that are 
local to or remote to the primary appli¬ 
cation server, and administrators can 
configure them to fail over to a standby 
server either automatically or manually. 


LifeKeeper core components include 
a configuration database, a commu¬ 
nications manager, an alarm interface 
used to trigger events, and a control 
interface to locate the correct scripts 
used for recovery actions. LifeKeeper 
requires at least two communication 
paths between the servers—one or 
more for LifeKeeper heartbeat commu¬ 
nications (a periodic message between 
paired nodes that detects faults), and 
one or more for normal server commu¬ 
nications. 


LPSW includes application recovery 
support for file server resources, includ¬ 
ing volumes and file shares, and for 
Microsoft IIS. LifeKeeper supports many 
standard storage types. Windows fault- 
tolerant disk sets are an exception, and 
unsupported. 

To test LPSW, I used two Windows 
2003 systems configured with IIS 
and a disk volume defined with a share. 
Each system also had two Ethernet 
cards, one for LifeKeeper’s heartbeat 
network, the other for normal server 
communications. I installed LPSW to 
both servers and defined a communi¬ 
cations path for LifeKeeper heartbeat 
communication. Next, I defined a pro¬ 
tected resource hierarchy using fea¬ 
tures of the basic recovery kit included 
with LifeKeeper core components. 

A wizard helped me define a volume 
resource and configured SDR to mirror 
the volume’s data to the other server. I 
also created an IP address resource and 
a DNS resource. 

To test failover, I configured Life¬ 
Keeper on the primary server to fail 


over upon shutdown, then I shut 
down the server. In less than a minute, 
my file share was again accessible 
through the IP address I had assigned 
to the virtual server name I had cre¬ 
ated and defined in DNS. After bringing 
the primary server back up, I failed the 
resources back by bringing the top-level 
resource back in service on the primary 
server. Again, it took only a minute for 
the IP resource to be accessible again 
and a few minutes more for the DNS 
resource. 


SUMMARY 


LifeKeeper Protection 
Suite for Windows 

Broad feature set supports com¬ 
plex failover scenario that includes multiple 
remote and local servers as well as both 
shared and replicated storage; easy to 
implement; flexible administration; easy- 
to-execute manual failover and fail-back 
processes; reliable automatic failover 

DF documentation for the underly¬ 
ing replication and high-availability compo¬ 
nents isn’t integrated 

♦♦♦♦O 

$2,000 per server with a $500 
annual support fee 

Add LifeKeeper 
Protection Suite for Windows to your short 
list when looking for a flexible, easy-to- 
implement high-availability solution. 

SteelEye Technology • 866- 
318-0108 • www.steeleye.com 


In spite of my successful definition 
of resources and failover testing, the 
LifeKeeper GUI showed both the primary 
and standby servers in a “warning” state. 
Through trial and error, and subsequently 
confirming this in the documentation, I 
figured out that LifeKeeper wants you to 
define more than one heartbeat commu¬ 
nication path. The warning icon changed 
to the OK icon after I defined an addi¬ 
tional heartbeat path on the primary IP 
network. 

I really liked LPSW’s support for 
both replicated and shared storage, its 
ease of configuration for both scenar¬ 
ios, and its support for more complex 
failover scenarios involving multiple 
local and remote servers. However, 
although the documentation for the 
underlying software components and 
recovery kits was well organized and 
easy to follow, it lacked the level of inte¬ 
gration you would expect, considering 
the single-product image that SteelEye 
is marketing. If you’re looking for an 
easy-to-implement high-availability 
solution, I recommend that you put 
LPSW on your short list. ^ 

InstantDoc I D 98129 
—John Green 
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I configured LifeKeeper on the primary 
server to fail over upon shutdown, then 
I shut down the server. In less than a 
minute, my file share was again accessible. 
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Market Watch 


SAM Minds Your IT Assets 

Businesses are turning to software asset management tools to 
fend off licensing audits and control costs 


M any IT managers would fail tests on know¬ 
ing what software assets are on their sys¬ 
tems, how many copies are installed, and 
what their license requirements are. Often, internal 
audits or receipt of a dreaded Business Software Alliance 
(BSA) or Microsoft auditing letter will reveal many more 
unlicensed programs on the organization's PCs, servers, 
mobile assets, or other devices than the IT department 
was aware of. Proactive software asset management 
(SAM)—an organized process for tracking and manag¬ 
ing licenses and software usage in an organization- 
offers a way to avoid unpleasant auditing surprises. To 
better understand how a SAM strategy might benefit 
your organization, it's helpful to know the components 
of SAM—particularly its usefulness in license manage¬ 
ment, get acquainted with SAM products that can help 
you manage software and other IT assets, and become 
familiar with SAM trends, such as the use of configura¬ 
tion management databases (CMDBs) in SAM imple¬ 
mentations. 

SAM and Licensing Compliance 

SAM encompasses a number of components, technolo¬ 
gies, departments, and processes to manage an organi¬ 
zation's software assets, including 
• procurement and licensing 
• deployment and patching 
• discovery, metering, and license management 

A SAM strategy could include the use of asset-discovery 
tools, application metering, and license repositories, 
all of which can help you get a grip on what's in your 
software library and determine whether you're in com¬ 
pliance with licensing requirements. 

The license-compliance aspect of SAM involves 
different departments, including purchasing, account¬ 
ing, and IT. These departments often use dissimilar 
processes and programs to track assets, contracts, and 
licenses. Getting all concerned parties to use a consis¬ 
tent set of license management procedures might be 
the biggest hurdle to an effective SAM plan. Contracts 
and licenses could still be on paper and not entered in 
an electronic repository. Accurate procurement records 
might be stashed in a filing cabinet in the basement in 
no particular order. Assets may have succumbed to "PC 
drift" (i.e., the undocumented movement of PCs from 
one area or user to another) and could be impossible to 
track down. 

The SAM standards issue is garnering so much 
interest that the ISO and International Electrotechnical 


Commission (IEC) developed ISO/IEC 19770-1:2006, 
a standard that organizations can use to plan and 
implement SAM. (You can download a copy of the 
standard, for a fee, at www.iso.org/iso/catalogue_ 
detail?csnumber=33908.) 

SAM for Audit Preparation 

The importance of having a SAM strategy in your orga¬ 
nization becomes evident when you face the prospect 
of an audit. Say you receive a letter from an industry 
association or software publisher notifying you of a 
vendor audit, generally within 14 to 60 days of the letter 
date. The auditor will bring a software asset-discovery 
tool and search your network devices, PCs, and mobile 
devices for applications. Then the auditor will ask you 
to provide proof of licensing compliance for all software 
assets. Gulp! Time to cram. If you've been notified about 
an audit and are scrambling to prepare for it, here's what 
you need to do: 

• Use a discovery tool to find all your software assets 
on PCs, servers, other network devices, and mobile 
devices. 

• Meter usage of the assets to 
determine how each is used 
and how often. 

• Build your license repository 
to compare it with your assets 
for compliance. 
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Guidelines for 
Evaluating SAM 
Solutions 


The best way to complete all 
these steps is to get a SAM solu¬ 
tion that will automatically plug 
into your network, find the 
assets, meter usage, and com¬ 
pare the license repository with 
the asset information. Alterna¬ 
tively, you could opt for a tool 
that performs a particular SAM 
task (e.g., creating an inventory 
of assets). 

SAM Products 

Ideally, you'll be looking for a 
SAM product well before you 
receive any type of compliance 
request. Then you can set up a 
SAM lifecycle solution that will 
not only make sure you're pre¬ 
pared when the auditor walks 
in the door but also help you 


W hen researching SAM solutions, 
keep these questions in mind: 

• Does the product have all the required 
SAM tools—discovery, usage meter¬ 
ing, license repository—and a method 
of comparing asset deployment and 
usage with license requirements? 

• How automated are the SAM’s fea¬ 
tures? 

• How easy is it to deploy and use? 

Does it have a management console? 

• How stable is the vendor? Will it be 
around for support and upgrades? 

• Is there a clear path for incorporation 
into a CMDB? 

• Can it integrate into a management 
suite, with remote controls, patch 
management, and other systems 
management functions? 
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get a handle on your software assets for 
better organization, budgeting, and legal 
compliance. The following partial list of SAM 
products can give you an idea of the types of 
features such solutions provide. (Also see the 
sidebar "Guidelines for Evaluating SAM Solu¬ 
tions," page _25, for a list of questions to ask 
SAM vendors when you're looking at prod¬ 
ucts, and the Web-exclusive sidebar "SAM 
Vendors and Resources," www.windowsitpro 
.com, InstantDoc I D 98247, for contact infor¬ 
mation for the SAM resources mentioned in 
this article.) 

CA Unicenter Asset Portfolio Manage¬ 
ment. This comprehensive assetmanagement 
solution aims to facilitate the collection and 
sharing of information among IT, accounting, 
and purchasing to give you a clear picture of 
your organization's software assets, includ¬ 
ing licensing. IT might have a firm grasp of 
its network and software assets, but without 
licensing information, a compliance assess¬ 
ment is worthless. If you add purchasing and 
deployment to the mix to determine whether 
too many or too few licenses are procured 
and how the assets are deployed, gaining a 
comprehensive understanding of the entire 
process could be a nightmare. Asset Portfolio 
Management not only can give IT adminis¬ 
trators and business managers the full view 
of IT assets and license compliance, it might 
also unearth options for better procurement 
and deployment efficiencies, cost manage¬ 
ment, and streamlined processes. 

HP OpenView AssetCenter. This solution 
is designed to manage your IT asset manage¬ 
ment lifecycle from procurement to manage¬ 
ment and retirement. AssetCenter lets you 
compare business goals and the software 
tools necessary to accomplish those goals 
with what's in your software asset library. 
This comparison capability could save you 
from having to buy additional products and 
licenses if you already have the assets on 
hand. Then you'll need to monitor changes in 
the IT infrastructure so that assets aren't lost 
when new employees are assigned new assets 
or existing assets are reassigned. AssetCenter 
consolidates IT asset information in a CMDB 
repository, including user information (more 
about CMDBs a little later). It also includes a 
license repository for ongoing monitoring of 
asset procurement and usage. 

LANDeskManagementSuite. LANDesk's 
asset lifecycle solution provides discovery, 
metering, and license-compliance features. 
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The LANDesk Management Suite also lets 
administrators set policies to stop use of 
unauthorized or unlicensed software. An IT 
admin can set policies for unauthorized pro¬ 
grams or types of programs, such as games 
and audio and video players. AssetCenter's 
remote control module lets administrators 
delete unauthorized programs from users' 
computers, even if the users are off the LAN 
and working remotely. 

Absolute Software's Computrace. Com- 
putrace is geared toward organizations whose 
asset management concerns are mainly about 
security or PC drift. Since most discovery tools 
provide only an asset snapshot, assets that 
move around might easily get lost. Compu¬ 
trace enables asset tracking, policy setting, 
and remote control, but its differentiator is the 
client agent. The agent proactively reports to 


any configuration changes made to the asset, 
and policy violations. Computrace also 
includes a Lojack for Laptops option, a theft- 
protection service that tracks, locates, and 
recovers stolen computers. Computrace can 
be embedded in a computer's BIOS firmware 
at the OEM factory or installed on a com¬ 
puter's hard drive. When embedded in the 
BIOS, Computrace will survive OS reinstalla¬ 
tion, hard-drive reformatting, and even hard- 
drive replacement. Computrace is supported 
on 32-bit versions of Windows Server 2003, 
Windows XP, and Windows 2000 and 32-bit 
and 64-bit versions of Windows Vista as well 
as on Mac OS X. 

AppSense Terminal Server License 
Management. This product, a component 
of AppSense Management Suite (you can 
buy it separately from other products in the 
suite), offers policy enforcement and appli¬ 
cation restrictions for application-delivery 
infrastructures that are based on Windows 
2003 Terminal Services or Citrix Systems 
products. Since Microsoft's Terminal Ser¬ 
vices licensing is frequently based on poten¬ 
tial application users rather than actual or 
concurrent users, proactively restricting 
application access can greatly decrease 


the number of licenses an organization 
must acquire. AppSense's kernel-level filter 
driver intercepts all file-execution requests 
to determine whether they're authorized. If 
not, the user gets a denial message. 

Microsoft System Center Configuration 
Manager 2007. Asset intelligence, a fea¬ 
ture of Configuration Manager 2007 that's 
been around since Systems Management 
Server 2003 SP3, provides a variety of reports 
in the areas of license management, soft¬ 
ware metering and inventory, and hardware 
inventory. These reports, which draw from 
the inventory and application-usage data 
that Configuration Manager collects, can 
give IT an accurate picture of hardware 
and software usage in an organization. Lor 
example, the license management client 
agent reports provide information about 


licenses in use and time until expiration; the 
software agent collects information about 
software titles installed on IT assets. The 
license management reports are formatted 
similar to a Microsoft License Statement 
for easy comparisons. By comparing the 
software asset intelligence reports with the 
license management reports, you can deter¬ 
mine whether you're complying with your 
Microsoft application licenses. 

By default, asset intelligence isn't enabled 
in Configuration Manager. To gather soft¬ 
ware asset information, you must enable 
the hardware inventory client agent and the 
applicable classes in the sms_def.mof file. 
Microsoft provides direction for configur¬ 
ing asset intelligence data collection and all 
the classes that must be enabled at technet 
.microsoft.com/en-us/library/bb694072 
.aspx. A number of software reports also rely 
on the software metering client agent for 
data. Instructions for configuring software 
inventory for a site are at technetmicrosoft 
.com/en-us/library/bb633191. aspx. 

SAM Trends: Integration 
and CMDBs 

The integration of SAM products into larger, 
more inclusive network management 


The integration of SAM products 
into larger, more inclusive network man¬ 
agement solutions is the next market step. 
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solutions is the next market step. The ability 
to use the data from the discovery tool and 
license management repository as part of a 
larger CMDB operation is what vendors are 
striving for in the near future. 

For example, Numara Software is integrat¬ 
ing its SAM product Track-It! with its Foot- 
Prints service desk solution to provide more 
IT services in one package. The Numara 
Track-It! asset management and Help desk 
solution combines the discovery, metering, 
and license repository of a SAM system and 
a full Help desk solution. Track-It! also has 
modules for software deployment, patch 
management, administration remote control, 
and network monitoring. When the product's 
discovery, metering, and license-compliance 
tools complete their tasks, Track-It! creates a 
Help desk ticket to make sure the informa¬ 
tion gets to staff whose job it is to resolve 
compliance issues. For example, the Track- 
It! discovery and license-compliance tools 
might find that a company has 125 Micro¬ 
soft Office 2007 installations, but its license 
allows only 100 installations. Track-It! will 
create a Help desk ticket to assign someone 
to determine whether all 125 installations are 
necessary and the Office 2007 license must 
be upgraded, or whether the Office 2007 
instances can be uninstalled to comply with 
the current license. 

Other integrated solutions, such as CA 
Unicenter Asset Portfolio Management, 
HP OpenView AssetCenter, and LANDesk 
Management Suite, are also moving toward 
incorporating CMDBs in their products. 
A CMDB—basically a single-source-of- 
record for everything related to IT—con¬ 
tains information about an organization's 
IT assets, including hardware, software, and 
employees, and their relationships with one 
another. A CMDB is required if your organi¬ 
zation is adopting the best practices of an 
IT Infrastructure Library (ITIL) and also is 
a key element in IT Service Management 
(ITSM: the relationship between enterprise 
IT infrastructure and the organization's 
business goals). SAM is one component of 
the CMDB. 

Having a complete CMDB can benefit an 
IT department by 

• giving you better knowledge for budgeting 
and purchasing. The CMDB is a central 
repository with knowledge of every con¬ 
figuration item, its use, its compliance 
with license limitations and requirements, 


and how each asset is related and affected 
by every other asset. Once you understand 
what applications and assets are fre¬ 
quently used, and which are not, you can 
better support budget and procurement 
requests. 

• giving you more control over IT assets. 


mitments that implementing a CMDB will 
require. Here are some of the steps you'll 
have to take during the process: 

• Educate your employees about CMDB 
benefits. To successfully establish a 
CMDB, you'll have to have enough sup¬ 
port to get every department on board. 


Implementing a CMDB is a long-term process. 

You may have to change many processes and 
win over staunch detractors. 


When you have a central repository of 
IT information, you can monitor all your 
hardware and software assets and be noti¬ 
fied of any configuration changes or soft¬ 
ware installations. With that information 
and information about how those changes 
might affect other enterprise IT compo¬ 
nents, you'll have more control over your 
IT infrastructure. 

• helping you respond to events that cause 
loss of productivity and downtime. Using 
the CMDB, you can trace how and when 
an event occurred and what processes it 
affected, which can help you identify and 
resolve the problem. 

Implementing a CMDB 

Organizing and collecting all the data neces¬ 
sary for a successful CMDB is the formidable 
barrier to its widespread adoption. IT will 
need to obtain the cooperation of depart¬ 
ments such as purchasing and HR to inte¬ 
grate purchasing data with the automated 
asset-discovery tool and license repository. 
Other impediments include the problems 
that come with a single-point-of-entry data¬ 
base approach and the ability to host such a 
large repository in one location. The idea of 
a federated database is gaining acceptance 
in the ITIL community. The CMDB would 
store a limited amount of data on each con¬ 
figuration item, then link to other locations— 
known as CDMB extended data sites—with 
expanded knowledge of the requested item. 
This approach would meet the goal of estab¬ 
lishing a single point of reference for IT 
knowledge, but reduce the CMDB's size. 

Implementing a CMDB is a long-term 
process. You may have to change many 
processes and win over staunch detractors. 
Then there are the financial and time com¬ 


• Determine how IT can support your busi¬ 
ness goals. 

• Establish what data the CMDB requires 
and where it currently resides. Interde¬ 
partmental cooperation will be essential. 

• Use an automated discovery tool to find 
out what assets you have. The database is 
only as good as its data. 

• Integrate data from disparate applica¬ 
tions and departments, such as licensing 
information and requirements, purchas¬ 
ing processes, and asset retirement pro¬ 
cedures. 

• Diagram the relationships between con¬ 
figuration items. This is crucial and possi¬ 
bly the most important step to developing 
a successful CMDB. 

• Establish the CMDB administrative pro¬ 
cesses. Decide who has access and how 
information is to be updated. 

Better Information About 
IT Assets 

If you're seriously considering implement¬ 
ing a SAM solution, keep in mind that it will 
likely be part of a CMDB. Therefore, you'll 
need to determine which departments must 
be involved in preparing for the SAM and 
CMDB and start getting key people on 
board. You'll also need figure out how to 
integrate disparate departmental operations 
programs and databases and initiate the 
process of integrating their data. As you've 
probably gathered by now, putting a SAM 
in place involves some significant effort, 
but the ROI will come in increased network 
efficiencies, time and money savings, and 
perhaps most important, peace of mind in 
knowing that your organization is comply¬ 
ing with licensing agreements. ▼ 
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Enterprise Patch Management Software 

Plan ahead to avoid a mad scramble later 


A s vendors consolidate previously separate IT 
administrative functions (e.g., patch manage¬ 
ment and virus protection) into one inclusive 
solution, patch management products and services 
are quickly becoming components of larger systems 
configuration and management solutions. Examples of 
inclusive solutions include Microsoft's System Center 
and CA's Unified Service Model. A result of this market 
shift is that the number of standalone patch manage¬ 
ment packages is dwindling as companies merge and 
combine product lines—such as the merger of Patch- 
Link and SecureWave to form Lumension Security— 
and as larger companies acquire smaller providers of 
system components—such as Symantec's acquisition 
of Altiris. This Buyer's Guide lists 11 products that man¬ 
age enterprise OS and application patching. Many of 
these solutions also address other IT concerns, such as 
security, Help desk, and asset management. 

Essentials 

Advances in patch management technologies and fea¬ 
tures continue, even as company names change. Client 
agents, subscription services, and vulnerability assess¬ 
ment functionality are now commonplace. Broad plat- 

Research patch 
management options 
now and develop 
a plan. 

form support has expanded to include Red Hat Enterprise 
Linux, Sun Solaris, Novell NetWare, and HP-UX. Most 
solutions offer some language support, especially with 
the burgeoning Chinese influence in technology markets. 
In this guide, English isn't listed as a supported language 
unless it's the only language the product supports. 

Subscription services and application patching are 
the new market battlegrounds. Subscription services offer 
weekly or monthly OS and application patch bundles. 
You can configure the agent to download a patch bundle 
customized to your platforms and application library. 
Patches are verified and tested before they reach your 
system. In addition, many solutions notify you if patches 
are missing, or if your system has any security vulner¬ 
abilities. 

Application patching is expanding beyond OS repair 
to include some of the biggest names in enterprise soft¬ 
ware, including Adobe Acrobat and Adobe Flash, Citrix 


ICA, NetWare, and Sun Java. Even consumer programs 
are entering the mix with patches for Mozilla's Firefox 
browser and Apple's iTunes. (Heaven help the admin 
who forgot to download and install the latest patch for the 
CEO's iPod!) 

Essential features that are included in every product 
listed in this Buyer's Guide are patch verification and test¬ 
ing, deployment failure alerts, scan history retention, and 
Microsoft Office patching. The next frontiers include vir¬ 
tualization and the mobile workforce. Patch management 
systems will need to identify missing patches on virtual 
systems, whether they're virtual OSs or virtual applica¬ 
tions, then distribute the appropriate patches to those 
virtual systems. For mobile applications, some products 
already support BlackBerry Server; and as smart phones 
and PDAs become more prevalent, enterprise users will 
require patching for email, Web, and file access. 

Have a Plan 

Securing your infrastructure is only getting harder. IT 
administrators are responsible for managing increasing 
numbers and types of platforms, devices, and applica¬ 
tions. With these new assets come more opportunities for 
software cracks and even more patches. According to the 
CA Content Update Service, Microsoft alone released 379 
patches from August 2006 through August 2007. 

Don't put yourself in the position of having to deploy 
a quick fix or simply slap on the latest OS band-aid when 
you face a data center meltdown. Research patch man¬ 
agement options now, think long term, and develop a 
plan. Consider the following questions: 

• Does the solution support all of your OSs? 

• Does it patch applications? 

• Will it scan and report missing patches? 

• Will it roll back if the installation causes problems? 

• Do you want a subscription service that delivers patch 
bundles to client agents? 

• Do you need vulnerability and compliance assess¬ 
ment and reporting? 

You have numerous choices in selecting a software 
patching system. If you have the time, use it to make 
a choice that will fit your needs now and well into the 
future. In two or three years when your IT friends are 
scrambling to patch 50 PCs on a Friday night, and your 
system management solution finished the same project 
at noon, as well as completed an antivirus scan and 
deployed a new software package, you can kick back and 
enjoy the benefits of planning ahead. 
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Company 

Product 

Price 

Platforms 

Automatic OS 
Migration 

Agent 

Subscription 

Applications Patched* 

Autonomic Software 

925-820-8209 

www.autonomic- 

software.com 

Autonomic 

Network 

Security 

Administrator 

(ANSA) 

$10 per node 

Windows Vista, XP, 

2003, 2000; Mac OS 

X; Red Hat Enterprise 
Linux; Solaris; IBM AIX 

Yes 

Yes 

Yes 

Adobe Acrobat and Flash, 

Apache, BlackBerry Server, 

Citrix ICA Client, Firefox and 
Thunderbird, NetWare, 

QuickTime, RealPlayer, 

Sun Java, WinZip 

BMC Software 
877-945-6325 
www.bmc.com 

BMC Patch 
Manager 

$20 per desktop, 
$50 per server, 
and requires BMC 
Configuration 
Manager at 
$10,000 

Windows Vista, XP, 

2003, 2000; Red Hat 
Enterprise Linux; Solaris; 
HP-UX; IBM AIX 

Yes 

Yes 

No 

Adobe Flash, BlackBerry 

Desktop and Server, Firefox 
and Thunderbird, iTunes, 

Microsoft apps**, 

QuickTime, RealPlayer, 

Sun Java, VMware 

CA 

800-225-5224 

www.ca.com 

Unicenter Patch 
Management 

Starts at $12.48 
per managed unit 

Windows Vista, XP SP2, 
2000 SPI, SP2, and SP3; 
IBM AIX 5.3 TL6 

Yes, with 
Unicenter 
Desktop DNA 

Yes 

Yes 

Adobe Acrobat and Flash, 

Firefox, Microsoft apps**, 

QuickTime, Real Player, 

VMware 

Kace Systems 
Management 
877-646-8366 
www.kace.com 

KBOX Systems 

Management 

Appliance 

$9,900 

Windows Vista, XP, 

2003, 2000; Mac OS X; 
Solaris 9 and 10; Red Hat 
Enterprise Linux AS 3 
and 4, ES 3 and 4 

No 

Yes 

Yes, free 

Adobe Flash and Acrobat 

Reader, Citrix ICA Client, 

Microsoft apps**, 

NetWare, QuickTime, 

RealPlayer, Sun Java 

LANDesk Software 

801-208-1500 

www.landesk.com 

LANDesk Patch 
Manager 

$34 

Windows XP, 2000, NT, 
98, 95; Mac OS X; Red 

Hat Enterprise Linux; 
SUSE Linux; Solaris 

Yes 

Yes 

Yes 

Microsoft apps** 

Lumension Security 

888-725-7828 

www.lumension.com 

PatchLink 

Update 6.4 

Starts at $1,695 
for server soft¬ 
ware, plus $20 per 
node per year for 
agent 

For the server, Windows 
Server 2003. For the 
agent, Windows Vista, 

XP, NT, 98; Mac OS X; 

Red Hat Enterprise Linux; 
Novell NetWare; Solaris; 
IBM AIX; HP-UX. 

No 

Yes 

Yes 

Adobe Flash, Citrix ICA Client, 

Firefox, Microsoft Data Access 
Components (MDAC), 

NetWare, Sun Java, Windows 

Media Player, Defender, 

Remote Desktop 6, QuickTime, 

WinZip 

Microsoft 

800-642-7676 

www.microsoft.com 

Microsoft 

System Center 
Configuration 
Manager 2007 

Client license 
starts at $41; serv¬ 
er license starts 
at $155 

Windows Vista, XP, 

2000; Server 2003; 
Windows 2000 Server 

Yes 

Yes 

Yes 

Microsoft apps** 

New Boundary 
Technologies 
800-747-4487 
www.newboundarv 

.com 

Prism Patch 
Manager 

$1,900 for 100 
seats; must be 
purchased with an 
additional compo¬ 
nent of Prism Suite 

Windows Vista, XP, 

2000, NT, 98; Server 
2003 

No 

Yes 

Yes 

Adobe Flash and Acrobat 

Reader, Citrix ICA Client, 

Firefox, Microsoft apps**, 

RealPlayer, Sun Java, 

WinZip 

Novell 

800-529-3400 

www.novell.com 

Novell 

ZENworks Patch 
Management 

Starts at $18 for 
one unit for one 
year 

Windows Vista, XP, 

2003, 2000, NT, 98; 

Mac OS X; IBM AIX; Red 
Hat Enterprise Linux; 
Solaris; Novell NetWare; 
SUSE Linux Enterprise 
Server; HP-UX 

Yes 

Yes 

Yes 

Adobe Flash and Acrobat 

Reader, Citrix ICA Client, 

Firefox, Microsoft apps**, 

NetWare, QuickTime, 

RealPlayer, Sun Java, 

WinZip 

Shavlik Technologies 

800-690-6911 

www.shavlik.com 

NetChk Protect 

Starts at $32 per 
desktop or server 

Windows XP, NT, 2003, 
2000 

No 

Yes 

No 

Adobe Flash and Acrobat, 

Apache, BlackBerry 

Server, Firefox and 

Thunderbird, iTunes, 

Microsoft apps**, 

QuickTime, RealPlayer, 

WinZip 

Symantec 

888-252-5551 

www.symantec.com 

Altiris Patch 

Management 

Solution 

$29 per node; no 
charge for compo¬ 
nents 

Windows Vista, XP, NT 
4.0, Server 2003, 2000; 
Red Hat Enterprise Linux 
AS 3 and 4, WS 3 and 4, 
ES 3 and 4 

Yes 

Yes 

No 

Adobe Acrobat and 

Flash, Microsoft apps* 


^Includes popular applications listed by most vendors; not a complete list. 
**Too many applications to list; see Microsoft’s Web site for a complete list. 


EDITOR’S NOTE: Some vendors that you might expect to see in this Buyer’s Guide said they didn’t have a product that exactly matched the criteria 
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Buyer’s Guide I Patch Management 



Uninstalls 
and Rolls 
Back 

Languages 

Supports 

Tiered 

Servers 

Bandwidth 

Limiting 

Compatible with 
Windows Server 
Update Services 

Auditing and 
Vulnerability 
Reporting 

New Features (past 12 months) 


Yes 

French, German, Italian, Spanish 

Yes 

Yes, through 
throttling 

Yes 

Yes 

Enhanced reporting with Crystal 
Reports, enhanced compliance con¬ 
figuration and management, small 
business managed service, enhanced 
asset management 


Yes 

Arabic, Chinese-Simplified, Chinese- 
Traditional, Czech, Danish, Dutch, Finnish, 
French, German, Greek, Hebrew, Hungarian, 
Italian, Japanese, Korean, Norwegian, 

Polish, Portuguese, Portuguese-Brazil, 
Russian, Spanish, Swedish, Thai, Turkish 

Yes 

Yes 

Yes 

Yes 

Support for Dell firmware updates, 
HP-UX servers, IBM AIX servers, 
detailed patch compliance and 
deployment reports 


Yes 

Console available only in English; patches in 
French, German, Italian, Spanish 

Yes 

Yes, through 
Unicenter 
Software 
Delivery 

Yes 

Yes 

Delta rollups, system maintenance, 
offline processing, data pruning, 
rapid deployment, single point of con¬ 
trol, deployment template 


No 

English 

No 

No 

No 

Yes 

Patch Fingerprint patented technol¬ 
ogy for vulnerability detection, access 
to patch repository, flexible scanning 
and distribution 


Yes 

Chinese-Simplified, Chinese-Traditional, 
Czech, Danish, Dutch, Finnish, French, 
German, Hungarian, Italian, Japanese, 
Korean, Norwegian, Polish, Portuguese 

PTG, Portuguese-Brazil, Russian, Spanish, 
Swedish 

Yes 

Yes, includ¬ 
ing dynamic 
throttling 
based on 
user and 
network 
activity 

Yes 

Yes 

User state detection, supercedence 
and dependencies, additional applica¬ 
tion support, increased Macintosh 
patch capabilities, secure mobile and 
remote Internet patching, custom Mac 
patches, automatic process manage¬ 
ment templates and workflows 


Yes 

Chinese-Simplified, Chinese-Traditional, 
Dutch, Finnish, French, German, Italian, 
Japanese, Korean, Portuguese-Brazil, 
Spanish, Swedish 

Yes 

Yes, throt¬ 
tling built in 
to agent 

No 

Yes 

Active Directory (AD) integration, 
nested groups, expanded platform 
support 


No 

Chinese-Simplified, Chinese-Traditional, 
Czech, Danish, Dutch, Finnish, French, 
German, Greek, Hungarian, Italian, 

Japanese, Korean, Norwegian, Polish, 
Portuguese PTG, Portuguese-Brazil, 

Russian, Spanish, Swedish, Turkish 

Yes 

Yes, depend¬ 
ing on the 
update 
installation 
binaries and 
controls 

Yes 

Yes 

Compliance assessment, enhanced 
update categories, scan results 
reported using state messages, 
language versions rebundled under 
a single update, uses deployments 
instead of advertisements, client 
selectively downloads only missing 
applicable updates, network access 
protection, Wake on LAN (WOL) and 
maintenance windows, and new Dell, 
Intel, and HP update catalogs 


Yes 

Chinese-Simplified, Chinese-Traditional, 
Dutch, Finnish, French, German, Italian, 
Japanese, Korean, Portuguese-Brazil, 
Spanish, Swedish 

Yes 

Yes 

Yes 

No 

None 


Yes 

Chinese CHP, Chinese CHS, Chinese CHT, 
Dutch, Finnish, French, German, Italian, 
Japanese, Korean, Portuguese PTG, 
Portuguese-Brazil, Spanish, Swedish 

Yes 

No 

No 

Yes 

Automated agent distribution, patch 
fingerprint profiling, full automation, 
and audit compliance 


Yes 

Arabic, Chinese-Simplified, Chinese- 
Traditional, Czech, Danish, Dutch, Finnish, 
French, German, Greek, Hebrew, Hungarian, 
Italian, Japanese, Korean, Norwegian, 

Polish, Portuguese PTG, Portuguese-Brazil, 
Russian, Spanish, Swedish, Thai, Turkish 

Yes 

Yes, through 

throttling 

settings and 

distributed 

consoles, 

servers, and 

agents 

Yes 

Yes 

Support for machine-centric view, 
role-based administration, custom 
patches, dynamic product detection, 
multiple agent policies, aggregate 
reporting, multiple console configu¬ 
ration 


Yes 

Chinese-Simplified, Czech, Danish, Dutch, 
French, German, Italian, Japanese, Korean, 
Norwegian, Polish, Portuguese PTG, 
Portuguese-Brazil, Russian, Spanish, 

Swedish 

Yes 

Yes, through 
throttling 
and check¬ 
point restart 

Yes 

No 

Support for 64-bit processing and 
improved usability 


or didn’t respond to our requests for information about their products. 
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ARE TARGETING 

STUB RESOLVERS 

AND WREAKING 
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Learning Path 


WINDOWS IT PRO RESOURCES 

“Deconstructing DNS,” InstantDoc ID 48527 
“Solving DNS Problems,” InstantDoc ID 
39771 

“DNS Configuration Errors Breed AD Horror,” 
InstantDoc ID 43582 


MICROSOFT RESOURCES 

“WPAD Entries.” www.microsoft.com/ 
technet/isa/2004/help/SRSPI_ 

CnfWEntry.mspx?mfr=true 
“Troubleshooting DNS clients,” technet2 
.microsoft.com/windowsserver/en/ 

librarv/0347e3db-f0IQ-4229- 

a722-5f8fe653f549!033 
.mspx?mfr=true 
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BY CRICKET LIU 

W hen I talk about DNS security, I usually 
emphasize the importance of securing 
name servers. For example, I'm always 
encouraging administrators to disable 
or restrict access to recursion on exter¬ 
nal name servers. However, two recent 
exploits—a Web Proxy Autodiscovery Protocol (WPAD)-related 
problem and a vulnerability involving malicious resolver reconfigu¬ 
ration—are targeting stub resolvers (i.e., DNS clients) to work their 
mischief. What are these exploits and how can you defeat them? 

WPAD 

The first vulnerability involves WPAD, a protocol that lets Web brows¬ 
ers automatically determine the proxy settings they should use. 
Essentially, a Web browser that supports WPAD uses DNS to look 
up the name wpad and connects to the Web server at the returned 
address to retrieve a proxy auto-configuration file called wpad 
.dat. The browser then reads its proxy configuration from that file. 
The idea is to provide administrators a "hook" for specifying the 
proxy configuration for all the browsers in their organization from 
a single point. Currently, Microsoft Internet Explorer (IE), Mozilla 
Firefox, and Opera support this mechanism. 

At first glance, WPAD appears innocuous. However, it can inter¬ 
act with the search list—in Windows parlance, the DNS suffix search 
list or DNS suffix search order— in unpredictable and undesirable 
ways. The search list is a series of domain names that are appended 
to names specified in the browser's address field or on the command 
line. For example, if your search list contains the domain names 
subdomain.company.com and company.com, and you type 

http://foo 

in your browser's address field, the browser will look up foo.subdo- 
main.company.com first and then (if that lookup doesn't return an 
address) foo.company.com. The search list applies to the browser's 
internal lookup for the name wpad, too. 

You can explicitly set the search list, domain name by domain 
name, but the list is more commonly inherited (or devolved , in 
Microsoft terminology) from a Windows computer's local domain 
name (which Microsoft dubs the primary DNS suffix ). The search 
list, by default, includes the local domain name and all its ancestor 


Tried-and-True 
DNS Wisdom_ 

Systems administrator 
Apostolos Fotakelis 
reveals his DNS 
best practices and 
troubleshooting insights 


BY CAROLINE MARWITZ 

NS wasn't exactly designed with security in mind, and 
no one is more aware of this than Apostolos Fotakelis, a 
systems administrator with NATO in Albania. Apostolos, 
a regular contributor to Windows IT Pro's Reader to Reader section, 
compiled a set of DNS best practices based on his DNS experiences 
over the past 11 years he's been in IT, including a stint as systems 
administrator at Aristotle University of Thessaloniki, Greece. 
Recently Apostolos and I discussed the techniques he uses for 
making DNS more secure and some examples from his experiences 
troubleshooting problems related to name resolution. 

Q: What sort of environment are you 
supporting? 

A: For security reasons, I can't describe our infrastructure [at 
NATO], so I'll talk about my previous environment at the university 
instead. 

We had eight servers. Initially they ran Linux, IRIX, Solaris, and 
Windows NT 4.0, but gradually we moved mainly to Windows 
Server 2003 R2, while preserving two servers running Linux. In luly 
2007, we installed a Windows Server 2008 Beta 3 server at one of our 
sites for testing purposes. The number of end users and worksta¬ 
tions varied over time from 50 to 100, depending on our research 
projects in progress. The clients were running 32- and 64-bit Win¬ 
dows XP. 

Q: DNS is a perennial topic of interest for many 
of our readers, since it’s an essential part of their 
jobs. What are some DNS best practices you’ve 
developed over the years? 

A: Generally, I always pay special attention to name resolution 
(mainly DNS, not so often WINS), since it's something that every 
infrastructure relies on. When name resolution doesn't work per¬ 
fectly, it causes numerous problems that sometimes don't even 
point to name-resolution problems. So you need to make sure DNS/ 
WINS is set up correctly before you can deal with other Windows IT 
issues, such as Active Directory and security. 
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Over time, I've developed a DNS best prac¬ 
tices list that I always check when setting up a 
network (see the sidebar “A Sysadmin's DNS 
Best Practices"). Initially I followed Micro¬ 
soft's DNS recommendations, then tried some 
other approaches as well. My DNS resources 
have been Microsoft TechNet, various forums, 
and personal experimentation. Also, as a 
Microsoft Certified Trainer (MCT), I've been 
lucky enough to have taught some smart stu¬ 
dents who asked me questions that required 


A Sysadmin’s DNS 
Best Practices 

1. Create DNS zones in internal DNS servers 
to fight some obvious Web ads. 

2. Use OpenDNS (www.opendns.com) DNS 
servers as forwarders, to add an extra layer 
of security. 

3. Block the exact DNS protocols (UDP, TCP, 
or both) on the edge—the firewall—and on 
the server. Also, lock down the DNS server. 
I’ve found Windows Server 2003 SPI’s 
security configuration wizard very useful for 
these two tasks. 

4. Use Active Directory (AD)-integrated 
zones and secure dynamic updates. 

5. Restrict DNS replication only to the nec¬ 
essary DNS servers. 

6. Implement split DNS, if applicable. 


7. Use DNSstuff (www.dnsstuff.com) to get 
useful additional information—also helpful 
for troubleshooting. 

8. Get rid of NetBIOS over TCP and WINS. 
(Windows Server 2008 has a special DNS 
zone that eliminates the need for a WINS 
server.) 

9. Develop your own best practices list! 

InstantDoc ID 98331 


domain names with at least two labels. So, 
the local domain name sub.net.ac.uk would 
devolve to a search list of sub.net.ac.uk, net 
.ac.uk and ac.uk. 

The problem arises when the combina¬ 
tion of wpad and the elements of the search 
list unexpectedly matches a domain name 
outside your organization's control. For 
example, if your search list includes sub 
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me to dig even further into DNS, and I also 
learned from troubleshooting the DNS prob¬ 
lems that they faced in their environments. 
I've found these DNS best practices to be 
applicable for the vast majority of the com¬ 
panies and organizations I've worked with. 

Q: What are some examples of 
unusual network behavior you’ve 
seen that have turned out to be 
name-resolution problems? 

A: Well, usually big delays when opening 
shared folders on the network indicate such 
problems, but unfortunately there are also 
cases where the problem remains well hid¬ 
den. For example, once I had a client whose 
Microsoft Exchange server logged numerous 
errors in the event log without giving any clue 
that would point to name resolution. It turned 
out to be a Global Catalog server wrongly reg¬ 
istered in DNS; however, we lost many hours 
trying to troubleshoot the problem. 

Testing name resolution is easy but usu¬ 
ally isn't the first thing that comes to mind 
when you're troubleshooting problems. My 
experience so far has shown that unexplain¬ 
able delays in a LAN usually are either name 
resolution or RPC (remote procedure call)- 
related, so I try to test these things first before 
moving to higher-level troubleshooting. 

InstantDoc ID 98330 

Caroline Marwitz 

(cmarwitz@windowsitpro.com) is an associate edi¬ 
tor for Windows IT Pro and SQL Server Magazine, 
specializing in Active Directory, Group Policy, and 
desktop management. 

MORE ON THE WEB 

\ Read an expanded version of 
WrS / j this article at www.windowsit 
Wy - pro.com, InstantDoc ID 98330. 


.org.co.nz, org.co.nz and co.nz, your browser 
will look up wpad.sub.org.co.nz, wpad.org 
.co.nz, then wpad.co.nz. If neither wpad 
.sub.org.co.nz nor wpad.org.co.nz exists, 
your browser could get its proxy configura¬ 
tion from wpad.co.nz, a domain name that 
your organization doesn't run! (Actually, 
Beau Butler, a Kiwi security researcher who 
recently publicized this very problem, runs 


the wpad.co.nz domain.) That configura¬ 
tion could instruct your browser to shunt 
all its Web traffic through a proxy server in 
Berzerkistan. 

A malicious user could subvert the 
WPAD mechanism in another way: If he 
or she connects a computer named wpad 
to your network, that computer might be 
able to register its name in DNS, or your 
DHCP server might add the name to DNS 
on the computer's behalf. The malicious 
user could then set up a Web server on the 
computer to distribute a little hand-crafted 
wpad.dat file that, again, diverts all Web- 
browser traffic to Berzerkistan. 

Addressing the WPAD 
Problem 

You can deal with this problem in several 
ways. First, you can set up a Web server (or 
use an existing Web server) to distribute a 
correct, official proxy auto-configuration file 
to Web browsers that support WPAD. Then, 
add wpad A records to your zones, pointing 
to the Web server's address. ( A records are 
DNS resource records that map domain 
names to IP addresses.) Second, you could 
use the site-local DHCP option 252 (aka 
auto-proxy-conflg) to specify the Web server 
and file from which browsers should load 
the proxy configuration. Either way, once a 
browser finds a proxy auto-configuration file, 
it will stop searching. Third, you can disable 
WPAD within the browser or through Group 
Policy. In IE, you can disable WPAD from 
Tools, Internet Options, Connections, LAN 
Settings. The dialog box that Figure 1 shows 
should appear. Clear the Automatically detect 
settings check box to disable WPAD. 

A fourth option is to pare down the 
search list to the bare minimum. (Doing so 
is generally a good idea anyway; it prevents 
unexpected matches in contexts other than 
WPAD.) To disable the Windows devolution 
mechanism that populates the search list with 
the ancestors of the local domain name, clear 
the Append parent suffixes of the primary DNS 
suffix check box in the Control Panel Network 
applet's Advanced TCP/IP Settings window, 
as you see in Figure 2. Clearing this checkbox 
will prevent ancestors of the primary DNS 
suffix (but not the primary DNS suffix itself) 
from being included in the search list. Again, 
you can also accomplish this configuration 
through Group Policy. 

Before culling all the ancestor domain 
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fighting ancient 
warriors, easy. 



2. Mop 'em. 

A dirty mop—the dirtier the better—thrust face-ward is really gross. 
Who knows where that mop's been? 


1. Alert the mailroom. 

Tell them to refuse delivery of huge, 
crudely built wooden horses. If one 
slips through, simply return to sender. 



3. Use what's at hand. 

A garbage can, dumped 
over the head of a Warrior, 
will disable him to painful 
and hilarious effect. 


4. Unleash the Trojan teddy bear. 

Fight their giant phony gift filled with 
Warriors with one of your own. Finding 
Warriors is tough, but not impossible. 



5. Summon the power of Olympus. 

Ancient Warriors are not going to 
mess with the power of Zeus. f # 

Use this (and a fake beard) 
to your advantage. ^ 





fighting security 
threats, easier. 


1« Implement Microsoft®Forefront™ 

Forefront makes defending your systems easier. It's 
a comprehensive, simple-to-use, integrated family of 
products that helps provide protection across your 
client, server, and network edge. For case studies, free 
trials, demos, and all the latest moves, visit easyeasier.com 

Forefront is business security software for client, server, 
and the network edge. 


Microsoft® 

Forefront 







Cover Story | DNS Exploits 



names from the search list, however, you 
should make sure your users and their appli¬ 
cations aren't counting on them. Users can 
become accustomed to typing shortened 
domain names into browsers or at the com¬ 
mand line, and they might have used them 
in configuration files, too. For example, you 
might find that your users rely on several 
entries in the search list. If only the last of the 
domain names in the search list is problem¬ 
atic, you can set the search list explicitly to 
remove that single domain name but leave 
the rest. Figure 3 shows howto set the search 
list to include sub.org.co.nz and org.co.nz but 
not the troublesome co.nz. 

Finally, even if you use the DHCP option 
to specify the Web server doling out your 
proxy auto-configuration file, you should 
add an A record for wpad to all your for¬ 
ward-mapping zones. Once a browser finds 
this A record, it will stop its search, even if 
no Web server is running at the IP address 
you specify. In many cases, adding a wpad 
A record to a zone will also keep a rogue 
computer named wpad from registering its 
name in DNS, because that name is already 
taken. If it doesn't prevent that—setting up 
a DHCP client with the computer name 
wpad to see if it can overwrite a wpad A 
record you added manually is simple- 
make sure your name server is configured to 
accept only secure dynamic updates (if it's 
a Microsoft DNS server) or that your DHCP 
server uses the interim DDNS update style 
(if you're running the Internet Systems 
Consortium—ISC—DHCP server). 

On a final note, don't use the loopback 
address 127.0.0.1 in the A record. For some 
reason, an A record pointing to this loop- 
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back address doesn't stop the 
application of the search list. 

Malicious Resolver 
Reconfiguration 

Recently, the Measurement 
Factory conducted a survey of 
the Internet's DNS infrastruc¬ 
ture (dns.measurement-factory 
.com/surveys/200710.html) and 
found roughly 16 million open 
recursors. Open recursors are 
Internet IP addresses 
that will accept 
recursive queries 
from any querier. 

These findings are 
bad enough in and of themselves: 

Hackers can use open recursors 
as accomplices in distributed 
Denial of Service (DoS) attacks 
against targets on the Internet. 

Open recursive name servers are 
also more susceptible to cache¬ 
poisoning attacks. However, fur¬ 
ther investigation into the nature 
of these open recursors revealed 
a more insidious threat. 

A team of researchers (in¬ 
cluding Georgia Tech's David 
Dagon) sent queries to a subset 
of these open recursors and 
examined the responses. Most 
of the responses were correct, 
but some were wrong—most 
apparently due to bugs or mis- 
configuration. But some of the 
open recursors (about 68,000) 
returned responses that were 
both wrong and potentially 
malicious. These open recur¬ 
sors always returned the same 
addresses as the response to any 
query. Many of these addresses 
appear to belong to open proxy 
servers in unsavory locations 
(from an Internet standpoint), 
such as Russia and China, or on 
networks flagged to be frequent 
sources of spam. 

Of course, no one in his or her 
right mind would deliberately 
reconfigure a computer's resolver 
to point to one of these open 
recursors. Yet, in captures of Geor¬ 
gia Tech's DNS traffic, Dagon and 


his team found many computers using 
these open recursors as primary sources 
of name resolution. Their resolvers had 
likely been reconfigured to use these open 
recursors by malware downloaded from 
the Internet—many species of malware do 
just this. Once the computers were thus 
reconfigured, the responses from the open 
recursors would shunt all Web traffic through 
these remote proxy servers, where the data 
(e.g., passwords, credit card information) 
could be captured and used maliciously. 
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Table 1: 

Firewall Rules 




Allow/Deny 

Source IP 
Address 

Source Port 

Destination 
IP Address 

Destination 

Port 

Protocol 

Allow 

Internal 

Name 

Servers 

Any 

Any 

Internet 

53 

UDP or TCP 

Allow 

Any 

Internet 

53 

Internal 

Name 

Servers 

Any 

UDP or TCP 

Connected 

Deny 

Any 

internal 

Any 

Any 

Internet 

53 

UDP or TCP 


Defending Against 
Resolver Reconfiguration 

Besides the standard-issue precautions 
against downloading malware—such as 
educating users to employ proper discretion 
when downloading files from the Internet— 
there are measures you can take to prevent 
even compromised computers from falling 
victim to this scheme. Firewall rules should 
prevent arbitrary internal computers from 
querying name servers on the Internet. If 
malware is successful in changing a com¬ 
puter's resolver configuration, the resolver 


will simply stop working. The computer's 
user will likely report this problem to IT 
staff, who can then diagnose the prob¬ 
lem, remove the malware, and restore the 
resolver's original configuration. 

Table 1 shows a set of firewall rules that 
permits a designated set of internal name 
servers to query Internet name servers (and 
receive responses) but deny queries sent 
directly from internal resolvers to Internet 
name servers. If possible, the firewall should 
also use stateful filtering of UDP to accept 
UDP datagrams only from the IP addresses 


of Internet name servers that were recently 
queried by an internal name server. 

Don’t Forget the Client 

Like most IT administrators, you might be 
focusing your efforts on securing name 
servers, but attacks can also target clients. 
Due attention is therefore necessary. Suc¬ 
cessful attacks against resolvers can result 
in just as much damage—and can be con¬ 
siderably more subtle—than attacks against 
name servers. 

For more helpful DNS best practices 
and tools, please visit my online library of 
resources at www.infoblox.com/library/ 
dns_resources.cfm. ▼ 

InstantDoc ID 98236 


Cricket Liu 

(cricket@infoblox.com) is vice president of archi¬ 
tecture for Infoblox, serving as liaison with the 
technical community. He’s a DNS authority and 
coauthor of O’Reilly’s Nutshell Handbooks about 
DNS, including the classic DNS and BIND. 
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I n PowerShell, you can connect cmdlets together to create a 
pipeline and use the Where-Object cmdlet to filter objects 
passed down that pipeline. For example, in the following 
statement, objects from the Get-Childltem (referenced by 
the dir alias) cmdlet are piped to a Where-Object cmdlet 
(referenced by the where alias), which filters out all items 
in C:\Windows, except those larger than 500,000 bytes: 

dir c:\windows | 

where {$_. Length -gt 500000} 

Notice that the Where-Object cmdlet includes an expression 
that's enclosed in braces ({}). The expression states that the current 
value of the Length property must be greater than 500,000. The value 
of the Length property is retrieved by using $_.length. The $_ symbol 
references the current object in the pipeline, and .length retrieves the 
value of the Length property. The expression then uses the -gt (greater 
than) operator to compare the Length property value to the value of 
500,000. 

As with any language, PowerShell provides a set of operators 
that let you create expressions you can incorporate into your state¬ 
ments. An expression is a block of code that PowerShell evaluates; 
the result of that evaluation determines what action to take. For 
example, in the preceding statement, PowerShell determines 
whether the Where-Object expression is true or false. When the 
expression evaluates to true—that is, the current object's Length 


property value is greater than 500,000—that object is passed down 
the pipeline and displayed in the output. If the expression evaluates 
to false—that is, the current object's Length property value isn't 
greater than 500,000—the object is discarded and not displayed in 
the output. 

PowerShell includes a variety of operators that you can use in 
your expressions. This lesson describes many of those operators and 
provides examples of howto use them. In addition, the Web-exclusive 
sidebar "Howto Find Out a Cmdlet's Properties," www.windowsitpro 
.com, InstantDoc ID 98175, discusses how to find property names, 
such as those used in the Where-Object expressions in the examples 
provided. 

Comparison Operators 

As the name suggests, comparison operators compare values. When 
an expression contains a comparison operator, PowerShell compares 
the value to the left of the operator with the value to the right of it. You 
saw this idea in the preceding example, in which the Length property 
value is compared to 500,000. PowerShell provides many comparison 
operators, as Table 1, page 40, shows. Let's examine some of those 
operators to see how they work. 

The following statement does the opposite of the preceding exam¬ 
ple—it returns items whose lengths are smaller than 500,000 bytes: 

dir c:\windows | 

where {$_. Length -Lt 500000} 
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As you can see, the only difference between 
the two statements is the comparison opera¬ 
tor. This statement uses the -It (less than) 
operator rather than the -gt operator. 

Other comparison operators follow the 
same logic. The following statement uses 
the -eq (equal to) operator to compare the 
Responding property value to the string true 
in order to retrieve a list of responding pro¬ 
cesses: 

get-process | 

where {$_.responding -eq "true"} 

For the Where-Object expression to evaluate 
to true, the Responding property value must 
equal true. As a result, only responding pro¬ 
cesses are returned, as Figure 1 shows. 

By default, all comparison operators 
perform case-insensitive comparisons. If 
you want to be more precise in your code, 
you can add the letter i to a comparison 
operator (e.g., -ieq) to explicitly specify 
a case-insensitive comparison. However, 
because this is the default behavior, adding 
the i isn't necessary. 

You can make any comparison case- 
sensitive by adding the letter c to the com¬ 
parison operator (e.g., -ceq). For example, the 
statement 

“True" -eq “true" 

evaluates to true because it ignores case, 
whereas the statement 

“True" -ceq “true" 

evaluates to false because it takes case into 
account. 

I realize that these are very basic exam¬ 
ples, but when working in a Windows envi¬ 
ronment, case often isn't a concern because 
filenames, process names, and other item 
names are case-insensitive. But as you 
become more familiar with PowerShell and 
learn how to retrieve other types of lists in 
which case-sensitivity is important, you'll 
find being able to make an operator case- 
sensitive useful. 

Another useful PowerShell feature is wild¬ 
cards. For example, if you don't know the 
exact name of an item when creating an 
expression to compare values, you can use 
wildcards in the compared value (the value 
after the operator). Table 2 describes the 
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wildcards that PowerShell supports. 

You implement wildcards through the 
use of the -like and -notlike comparison 
operators. (Note that -like and -notlike as 


well as -match, -notmatch, and -replace are 
sometimes referred to as pattern-matching 
operators.) For instance, suppose you want 
to find all Google-related processes on a 


Table 1: 

PowerShell Comparison Operators 


Operator 

Description 

Case-sensitive 

version 

Explicit case-insensitive 
version 

-eq 

Equal to 

-ceq 

-ieq 

-ne 

Not equal to 

-cne 

-ine 

-gt 

Greater than 

-cgt 

-igt 

-ge 

Greater than or equal to 

-cge 

-ige 

-It 

Less than 

-clt 

-ilt 

-le 

Less than or equal to 

-cle 

-ile 

-like 

Uses wildcards to find match¬ 
ing patterns 

-dike 

-ilike 

-notlike 

Uses wildcards to find non¬ 
matching patterns 

-cnotlike 

-inotlike 

-match 

Uses regular expressions to 
find matching patterns 

-cmatch 

-imatch 

-notmatch 

Uses regular expressions to 
find nonmatching patterns 

-cnotmatch 

-inotmatch 

-contains 

Determines whether value on 
the left side of the operator 
contains the value on the right 

-ccontains 

-icontains 

-notcontains 

Determines whether value on 
the left side of the operator 
does not contain the value on 
the right 

-cnotcontains 

-inotcontains 

-replace 

Replaces part or all of the value 
on left side of the operator 

-creplace 

-ireplace 
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Figure 1: Retrieving a list of processes 


Table 2: 

PowerShell Wildcards 

Operator 

Description 

Example 

True (match) 

False (no match) 

* 

Matches zero or more 
of any character 

ab* 

ab, abc, about 

against 

? 

Matches any one char¬ 
acter 

r?d 

red, rid, rod 

bed 

[char-char] 

Matches a range of 
sequential characters 

[a-h]ug 

bug, dug, hug 

lug 

[char...] 

Matches any one 
character in a set of 
characters 

[cft]ool 

cool, fool, tool 

pool 
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PS C:\> 

Figure 2: I Retrieving a list of Google-related processes 
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Figure 3: Using the ■ 

■and operator in an expression 



There are two conditions, each of which is 
enclosed in parentheses. The first condition 
($_.handles -gt 500) specifies that the num¬ 
ber of handles must be greater than 500 for a 
given process. The second condition ($_.pm 
-ne 0) specifies that the paged memory size 
must not equal 0. The -and logical operator 
connects these two conditions. As a result, 
both conditions must evaluate to true for 
the entire expression (enclosed in braces) 
to evaluate to true. Only those processes that 
meet both of these conditions are returned, 
as Figure 3 shows. 

Now let's take a look at the -or operator. 
The following statement is the same as the 
preceding example except that it uses -or 
instead of -and: 

get-process | 

where {($_.handles -gt 500) 

-or ($_.pm -ne 0)> 


computer. You can use the -like operator to 
return all processes created by companies 
whose name includes the string google: 

get-process | 

where {$_.company -Like '^google*"} 

The asterisk wildcard matches zero or more 
characters, so you'll receive accurate results 
no matter whether the company name is 
stored in Windows as Google, Google Inc., 
or another variation. Figure 2 shows the 
results from this statement. If you were to 
use the -notlike operator instead of the -like 
operator, all non-Google processes would be 
returned. 

In addition to wildcards, PowerShell sup¬ 
ports regular expressions, which are based 
on the Microsoft .NET Framework regular 
expression classes. You implement regular 
expressions through the use of the -match 
and -notmatch operators. PowerShell's sup¬ 


port for regular expressions is quite exten¬ 
sive—as extensive as you would find in any 
.NET language. For this reason, a discussion 
about them is beyond the scope of this lesson. 
For information about them, see PowerShell's 
about_regular_expression and about_com- 
parison_operators Help files. 

Logical Operators 

So far, I've discussed howto use comparison 
operators in expressions. When you use one 
of these operators, you create a condition 
that's evaluated to determine whether to take 
a specific action. However, in some cases, 
you might want to create expressions that 
include multiple conditions. In other words, 
you might want to perform more than one 
comparison to determine whether to take 
that action. 

To perform multiple comparisons in 
a single expression, you must use logical 
operators to link conditions together. Logi¬ 
cal operators, which are described in 
Table 3, specify what logic to use when 
evaluating multiple conditions. 

Let's take a look at an example to 
illustrate how logical operators work. 
The following statement uses the Get- 
Process cmdlet to retrieve a list of 
running processes: 

Get-Process | 

where {($_.handles -gt 500) 

-and ($_.pm -ne 0)> 


Table 3: 

PowerShell Logical Operators 

Operator 

Description 

-and 

Both conditions must be true for 
expression to evaluate to true 

-or 

One or both conditions must be true 
for expression to evaluate to true 

-not 

Specified condition must be false for 
expression to evaluate to true 

1 

Specified condition must be false for 
expression to evaluate to true 
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Figure 5: Using the -not operator in an expression 


^Windows Rowes Shell 


'Use + to add two" + 

+ "strings together." 


PS C:\> 

» " " 

» 

Use + to add two strings together. 
PS C:\> "abc" * 4 
abcabcabcabc 
PS C:\> 


Figure 6: 


Using arithmetic operators 
to concatenate strings 


“Use + to add two" + 

“ “ + “strings together." 

Figure 6 shows the results of concatenating 
these two values. This figure also shows the 
results for the statement: 

“abc" * 4 

In this case, the * operator is used to mul¬ 
tiply a string value four times. As a result, 
four copies of the value are returned, and 
those values are concatenated into one 
string. 

My arithmetic-operator examples are 
very basic. As you work through the lessons, 
you'll see more complex examples of how 
these operators can be used. This section is 
meant only to introduce you to the arithmetic 
operators so that you can begin to use them. 
To learn more about these types of operators, 
see the about_arithmetic_operators Help 
file. 


In this case, at least one of the conditions 
must evaluate to true for a process to be 
included. In other words, the process must 
have a handle count greater than 500 or 
the paged memory size must not equal 0 or 
both. As a result, many more processes are 
returned, as Figure 4 shows. 

You can use the -not logical operator to 
indicate that a specified condition must not 
be true. For example, the following state¬ 
ment specifies that the handle count must 


be greater than 100 and the company name 
must not be Microsoft Corporation: 

get-process | 

where {($_.handles -gt 100) 

-and -not ($_. company -eq 
“Microsoft Corporation")} 

This statement returns all non-Microsoft 
processes, as Figure 5 shows. 

Arithmetic 
Operators 

PowerShell supports the use of 
arithmetic operators to perform 
mathematical calculations. 
Table 4 describes the operators 
and provides basic examples. In 
addition to using the operators 
for mathematical calculations, 
you can use some of the opera¬ 
tors other ways. For example, 
you can use the + operator to 
concatenate string values: 


Moving Forward 

In this lesson, you learned that PowerShell 
supports a number of operators that let you 
create expressions and perform calculations. 
However, this lesson doesn't cover all opera¬ 
tors. For example, PowerShell also supports 
bitwise operators that perform binary opera¬ 
tions and assignment operators that assign 
values to variables. I'll be covering many of 
these operators as we progress through the 
lessons. In the meantime, refer to the Power- 
Shell Help files to learn more about the avail¬ 
able operators. ^ 
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Robert Sheldon 

(contact@rhsheldon.com) is a technical consultant 
and the author of numerous books, articles, and train¬ 
ing material related to Microsoft Windows, various 
relational database management systems (including 
SQL Server), and business intelligence design and 
implementation. He is also the author of the novel 
Dancing the River Lightly. 


Table 4 

: PowerShell Arithmetic Operators 

Operator 

Description 

Example 

Result 

+ 

Adds two values 

10 + 5 

15 

- 

Subtracts one value 
from another 

10-5 

5 

- 

Converts a value to a 
negative number 

-5 + 10 

5 

* 

Multiples two values 

10*5 

50 

/ 

Divides two values 

10/5 

2 

% 

Returns the remainder 
from divided numbers 

10 % 3 

1 
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PROBLEM: 

You’re up against a 
migration deadline. 

How can you quickly 
rehost your older 
production servers as 
virtual machines without 
deploying ADS to your 
entire organization? 

SOLUTION: 

You’ve prepared your 
ADS l.l mobile solution 
and have installed Virtual 
Server Migration Toolkit 
l.l. Now you can use 
VSMT to extend the ADS 
solution and perform 
physical to virtual (P2V) 
migrations anywhere in 
your organization. 

WHAT YOU NEED: 

Windows Server 
2003 Enterprise 
Edition, Dynamic Host 
Configuration Protocol 
(DCHP) Server, ADS l.l, 
Virtual Server 2005 R2 
SPI, VSMT l.l on your 
mobile cart. And a source 
server running Server 
2003, Enterprise. 

DIFFICULTY: 

>oo 


FOR PHYSICAL 
TO VIRTUAL OS 
MIGRATION 


BY ROBERT LARSON 

I f you're up against a tight OS migration 
deadline, you'll be a hero if you have a 
fully functional and tested physical to 
virtual (P2V) solution on a server that 
you can take anywhere in your organi¬ 
zation. A P2V solution lets you perform 
a migration with no impact on or reconfiguration 
of your production network. I'll explain the inner 
workings of the Microsoft Virtual Server Migra¬ 
tion Toolkit (VSMT) and demonstrate how to 
configure a mobile server using ADS for the P2V 
migration. 

I'll pick up where I left off in this series. In 
“ADS Unplugged" (October 2006, InstantDoc 
ID 93625), I showed how to build a basic mobile 
ADS solution for Windows OS migrations. Then, 
in the Web-exclusive article, “Kick Your Mobile 
ADS Solution Up a Notch" (February 2007, 
InstantDoc ID 94982), I went over how to install 
VSMT to extend the mobile ADS solution to per¬ 
form physical machine to virtual machine migra¬ 
tions. Now I'll demonstrate how to use VSMT to 
perform a P2V machine migration. 

Before You Begin 

Using this series of articles, you've seen how to 
create a mobile ADS solution by assembling 
the necessary hardware on a movable cart and 
installing the basic software: Windows Server 


2003 Enterprise Edition, Dynamic Host Con¬ 
figuration Protocol (DCHP) Server, ADS 1.1, 
Virtual Server 2005 R2 SPI, and VSMT 1.1.1 call 
the source server Testserver, and I assume it's 
running Windows Server 2003, Enterprise. To 
perform a P2V migration, you need to follow 10 
steps, as I'll show in this article. 

Before you begin, put some time into decid¬ 
ing whether your servers are good candidates 
for a P2V conversion. Sometimes it's not worth 
it to perform a P2V migration on an unstable 
production server because the instability issue 
just comes along during the migration. If this is 
the case, it might be better to rebuild the virtual 
machine from scratch and move the data from 
the old physical server to the new virtual server. 
In addition for servers that have OEM system 
applications, you should uninstall or disable 
them before you attempt a P2V migration to 
ensure that they will not interfere with the virtual 
machine on first boot. 

Are your servers are good candidates for a P2V 
conversion? If so, you're ready to get started. 

STEP 1: Prepare the 
Source System 

Although VSMT doesn't modify the source sys¬ 
tem, I recommend that you follow the best prac¬ 
tice of backing up the source system before you 
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speed the spread of virtualization 


start the P2V migration process. In addition, disable 
any drivers or applications that are specific to the 
physical hardware and that won't be available in the 
virtual machine environment. 

STEP 2: Prepare the 
MobileP2V Server 

VSMT includes a tool called GatherHW.exe that col¬ 
lects the physical hardware information on the source 
server and creates an XML configuration file you can 
use to analyze the source server for any known hard¬ 
ware incompatibilities in the source system (dynamic 
disks, more than 3.6 GB RAM, unsupported devices, 
and so forth). To run GatherHW.exe, you must copy 
it to the source system. I recommend creating a share 
called VSMT on the MobileP2V server in the VSMT 
installation folder, which is by default C:\Program 
Files\Microsoft VSMT. You'll also need a place to 
store the XML files that GatherHW.exe produces, so 
create a directory called C:\P2VSource on MobileP2V 
and share it as P2VSource, specifying local adminis¬ 
trator write permissions. 

Here's quick summary of the MobileP2V server 
drive configurations you'll be using: C drive (C: - 
operating system), D drive (D: - ADS image files), and 
E drive (E: - virtual machine storage). 

STEP 3: Gather the 
Configuration Information 

Once you've created the shares on the MobileP2V 
server, log on to Testserver as the local administra¬ 
tor. Then, create a directory called C:\VSMT, and 


Why VSMT l.l Doesn’t Support Virtual Server 2005 R2 SPI 


I f you’re using the Virtual Server Migration Toolkit version l.l (VSMT) with Windows Server 2003, you can run into problems with the patch 
cache. The problem is associated with the fact that VSMT l.l requires the .Net l.l Framework assembly Microsoft.VirtualServer.Interop 
version 1.465. Virtual Server 2005 R2 Service Pack I (SPI) comes with version 1.603 of the assembly, but that isn’t the prime issue. When 
Virtual Server 2005 R2 SPI was being built, the Microsoft development team transitioned to .Net Framework 2.0, so all the assemblies are .Net 
Framework 2.0 versions. VSMT l.l can’t communicate with the newer version of the Microsoft.VirtualServer.Interop assembly because there 
isn’t an updated version of VSMT compiled with .Net Framework 2.0. 

To work around this issue, you need to maintain the MobileP2V server at the Virtual Server 2005 R2 version so that the correct assembly 
is installed. This won’t affect the Virtual Hard Disks (VHDs) created, but you’ll want to install the virtual machine additions from the SPI release 
(build 813) on all migrated virtual machines. 

InstantDoc ID 97854 


map a network drive to \\MobileP2V\VSMT. Copy 
GatherHW.exe to C:\VSMT. Double-click GatherHW 
.exe on the source system to collect the configuration 
information. GatherHW.exe creates an XML file with 
the name of the source system (e.g., Testserver.xml) 
in the directory. Copy the XML file to \\MobileP2V\ 
P2VSource. 

STEP 4: Validate the 
Configuration Information 

After collecting the configuration information from 
Testserver with GatherHW.exe, use VMScriptexe 
(which was installed on Mobile P2V as part of VSMT) 
to validate the data. To run VMScriptexe against the 
XML file, log on to the MobileP2V server and open a 
command prompt. Change directory to C:\Program 
Files\Microsoft VSMT. In the command window, 
execute the VMScript by typing: 

VMScript.exe /hwvalidate /hwinfofiLe:"C:\ 

P2VSource\Testserver.xml" 

VMScript analyzes the XML file and reports any 
errors or configuration issues with the source hard¬ 
ware. (Note that some server hardware such as spe¬ 
cial add-in boards, USB-attached devices, and other 
devices—such fiber channel host bus adapters— 
won't work on virtual machines.) 

Examine the VMScript output for any issues, 
warnings, or errors. Use Vmpatch.exe to correct any 
issues and copy any missing system files, service 
packs, or hotfix files before continuing. If you receive 



SOLUTION 

STEPS: 

1. Prepare the source 
system. 

2. Prepare the 
MobileP2V server. 

3. Gather the 
configuration 
information. 

4. Validate the 
configuration 
information. 

5. Generate the 
migration scripts. 

6. Load the required 
drivers into ADS. 

7. Capture the 
Testserver system 
disk. 

8. Create the virtual 
machine. 

9. Deploy the ADS 
disk images to the 
TestMigration virtual 
machine. 

10. Complete the 
migration process. 
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name of the Virtual Server host 
(MobileP2V). 

By default, the migration 
scripts are configured to create 
fixed-size virtual hard disks. 
If the physical disks on the 
source system have an exten¬ 
sive amount of unallocated free 
space or you don't want to use 
fixed-size virtual hard disks, 
execute VMScript with the / 
virtualDisk-Dynamic option. 
This option also speeds up the 
virtual machine creation pro¬ 
cess. If you use /virtualDisk- 
Dynamic the command line 


the following error regarding missing Win¬ 
dows Server 2003 Service Pack 2 (SP2) files, 
see the sidebar, “Adding Windows Server 
2003 SP2 Support to the VSMT Patch Direc¬ 
tory," for how to update the patch cache with 
Windows 2003 SP2 drivers. 

Error: Cannot find patch files for the oper¬ 
ating system/service pack level in the C:\ 
Program Files\Microsoft VSMT\Patches\ 
Source\5.2.3790\SP2 directory. 

STEP 5: Generate the 
Migration Scripts 

After you've resolved any issues with the 
Testserver configuration and you've rerun 
VMScript until there are no blocking issues, 
generate the migration scripts. These scripts 
control disk image capture, virtual machine 


creation, and disk image deployment to 
the virtual machine. To generate the migra¬ 
tion script, run VMScript with the following 
syntax: 

VMScript /hwgeneratep2v / 

hwinfofi le: ,, path\Source.xml" / 
name:vm_name /vmconfigpath:"vm 
path" /virtualDiskPath:"vm path" / 
hwdestvs:controlLer_server 

In this script, path\Source.xml is the path 
to the xml configuration file (C:\P2VSource\ 
TestServer.xml), vm_name is the name to 
assign to the virtual machine in the Virtual 
Server console (TESTMIGRATION), vm path 
is the location where you want the .vmc and 
the .vhd files to be stored on the specified 
host (E:\VMs), and controller_server is the 


looks like: 

VMScript /hwgeneratep2v /hwinfofile:"C:\ 
P2VSource\TestServer.xml" / 
name:TESTMIGRATION /vmconfigpath:"E:\ 
VMs" /virtualDiskPath:" E:\VMs" / 
hwdestvs:M0BILEP2V /virtualDiskDynamic 

VMScript.exe generates the migration 
scripts in a subdirectory, C:\Program Files\ 
Microsoft VSMT\p2v\TESTMIGRATION. 
Execute the VMScript command line, and 
you'll see the output shown in Figure 1. 
VMScript creates 12 output files that are 
used during the migration process. The 
readme file, TestMigration_P2V_Readme 
.txt, provides information about script cre¬ 
ation and driver issues. The three XML 
files contain information used during the 
migration about the hard disk and 
driver configuration. The TestMi- 
gration_boot.ini file is a copy of 
the boot.ini information from the 
source machine. You'll execute 
three scripts directly during the 
migration process: TestMigration_ 
Capture.cmd captures the source 
disk drives into ADS images, Test- 
Migration_CreateVM.cmd cre¬ 
ates the target virtual machine 
using the source configuration 
information, and TestMigration_ 
DeployVM.cmd images the cap¬ 
tured source disk images to the 
target VM drives. 

VMScript also creates a subdi¬ 
rectory called Patches. It is automati¬ 
cally populated with known patches 
that you'll need to install. 
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STEP 6: Load the 
Required Drivers into 
ADS 

When VMScript validates the source sys¬ 
tem configuration information, it doesn't 
validate that all the required drivers are 
installed in the ADS file cache. The most 
important driver to install is the source sys¬ 
tem network card. Without this driver, the 
source server can't be captured. Download 
the latest network interface card drivers for 
the source system to a temporary directory 
on MobileP2V. Copy the driver files into 
C:\Program Files\Microsoft ADS\NBS\ 
Repository\User\PreSystem. When you 
copy the network interface card driver files 
into the ADS file cache, don't create any 
subdirectories or include Txtsetup.oem files. 
The subdirectories aren't needed because 
the driver files must be placed directly in the 
PreSystem directory, and the Txtsetup.oem 
file isn't used. 

After you've copied the files, restart the 
ADS Builder service so that it finds the new 
drivers. Open a command window and type 

net stop adsbuiLder 

Then press Enter. Type 

net start adsbuiLder 

Then press Enter. 


STEP 7: Capture the 
Testserver System Disk 

Now you're ready to capture the Testserver 
system disk images. The TestMigration_Cap- 
ture.cmd migration script executes and 
leverages ADS to capture each disk image 
sequentially. Log on to MobileP2V as local 
administrator and follow these steps to start 
the disk image capture process of TestServer. 
Open a command window and change direc¬ 
tories to C:\Program Files\Microsoft VSMT\ 
p2v\TestMigration. Execute the TestMigra- 
tion_capture.cmd script. When prompted, 
log on to the source server, Testserver, restart 
it, and boot it to the Pre-execution Environ¬ 
ment (PXE) interface. 

ADS takes control of the source system 
and boots it into the Deployment Agent to 
initiate the disk image capture. To follow 
the progress of each disk image capture, you 
can use the Automated Deployment Service 
MMC snap-in on the Controller server. In 
the MMC snap-in, go to Devices, Running 
Jobs, then double-click on the running 
job, as shown in Figure 2. Image captures 
can take awhile depending on the size and 
number of the disks. If the server has a slow 
network interface, consider updating the 
interface card to a faster card connected to a 
faster port to reduce the transfer time. When 
the image captures are complete, ADS shuts 
down and removes the source system from 
the device database. The last task before 




Adding 
Windows 
Server 2003 
SP2 Support 
to the VSMT 
Patch 
Directory 

T he default installation of VSMT 
l.l doesn’t come with Windows 
Server 2003 Service Pack 2 
(SP2) patch files. These files 
are required for the post-deploy modifi¬ 
cation task, but they must also exist to 
complete the hardware validation test on a 
source server with SP2 installed. 

To update your VSMT l.l installa¬ 
tion with Windows Server 2003 SP2, 
download the SP2 executable from www 
. microsoft.com/downloads . Extract Win¬ 
dows 2003 Server SP2 to C:\Temp\SP2 
using the /x command line option. 

Create a folder called SP2 in C:\ 
Program Files\Microsoft VSMT\Patches\ 
Source\5.2.3790\. Copy all the XML files 
from the ..A5.2.3790 directory to the 
...\5.2.3790\SP2 directory. Copy the follow¬ 
ing files from C:\TEMP\SP2 extracted copy 
of Windows Server 2003 SP2: ntoskrnl 
.exe, ntkrnlpa.exe, winsrv.dll, ntdll.dll, ker- 
nel32.dll, halacpi.dll, HAL.dll, aic78xx.sys, 
atapi.sys, intelide.sys, pciide.sys, pciidex 
.sys, win32k.sys. Update the cache using 
VMPatch: 

VMPatch /s:c:\temp\sp2 

Now your VSMT installation is ready to 
migrate Windows Server 2003 servers with 
SP2 installed. 
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mg Windows Server 2003 


windows Automated Deployment services 

Deployment Agent version 1.1 Build 5149.15:10:19 


DEPLOYMENT SERVICES 

Boot selection: ramdisk(G) 

Boot options: RDBUILD RDGUID={E597073D-BCA9-4935-8257-25530A5677D0} RD 

SERVERS={10.10.10.1} FASTDETECT ONECPU 
LOCAL NETWORK CONFIGURATION (PXE BOOT) 

IP Address: 10.10.10.101 

subnet Mask : 255.255.255.0 

MAC Address: 00-03-FF-7C-12-12 

Broadcast: Enabled 


DEPLOYMENT AGENT STATUS 

Restore progress: 1 % (5405 of 539169) 


Figure 4: Virtual machine deployment progress status 


the script terminates is changing system file 
attributes, as shown in Figure 3, page 47. 

STEP 8: Create the 
Virtual Machine 

Before you migrate the captured disk images, 
you must create the virtual machine and 
configure it with the same memory, disk, 
and network configuration as the physical 
machine. The TestMigration_CreateVM.cmd 
script (one of the scripts that VMScript gener¬ 
ates) automates this for you. To launch the 
script, open a command window and change 
directories to C:\Program Files\Microsoft 
VSMT\p2v\TestMigration. Execute the Test- 
Migration_CreateVM.cmd script. The script 
creates a new virtual machine configuration 
file E: \VMS\TestMigration\TestMigration 
.vmc, registers the virtual machine, connects 
the virtual machine to the default virtual 
network VM0, creates and attaches the virtual 
hard disks (VHDs) to the virtual machine, 
and attaches a Remote Installation Services 
(RIS) virtual floppy disk to the virtual floppy 
drive. If you get this error 

Error :System.IO.FileLoadException: The 
located assembly's manifest definition with the 
name ' Microsoft.VirtualServerlnterop' does 
not match the assembly reference. 

then the MobileP2V server is running Virtual 
Server 2005 R2 Service Pack 1(SP1). VSMT 
1.1 is compatible with Virtual Server 2005 R2 
but not Virtual Server 2005 R2 SP1, Refer to 
the sidebar, '"Why VSMT 1.1 Doesn't Support 


Virtual Server 2005 R2 SP1," page 45, for more 
information on howto resolve this issue. 

When all these tasks are complete, check 
the ADS device database using the ADS MMC 
snap-in. The virtual machine should have 
been added to the ADS device database and 
set to boot to the Deployment Agent. 

STEP 9: Deploy the 
ADS Disk Images to the 
TestMigration Virtual 
Machine 

After the virtual machine is created, the 
source server disk images must be restored. 
TestMigration_DeployVM.cmd controls 
this part of the migration procedure. To 
restore the source disk images and deploy 
the virtual machine, go to C:\Program 
Files\Microsoft VSMT\p2v\TestMigration 
and execute 

TestMigration_Dep LoyVM.cmd 

To follow the progress of the virtual 
machine deployment, you can use the Vir¬ 
tual Server 2005 R2 Administration Website 
on the Controller server. You'll see the 
virtual machine boot into the Deployment 
Agent and the disk images restore to the 
virtual hard disks, as shown in Figure 4. The 
hardware-dependent system files are then 
swapped for virtual machine-compatible 
versions, and required operating system 
configuration settings are applied. 

If you use the MMC snap-in to check 
the ADS device database, you'll see that the 
virtual machine is still in the device database. 


The TestMigration_DeployVM.cmd script 
terminates after removing the RIS virtual 
floppy disk from the virtual machine. The vir¬ 
tual machine remains booted in the Deploy¬ 
ment Agent. 

STEP 10: Complete 
the Migration Process 

Before you complete the source system to 
virtual machine migration process, perform 
a few final cleanup tasks. The TestMigra¬ 
tion virtual machine is still booted into the 
Deployment Agent, so you need to reboot 
it: Open the ADS MMC snap-in, select and 
right-click the TestMigration device, then 
select run job. A New Job wizard launches. 
Click Next. Select to create a one-time job, 
and click Next. Then click Next to skip the 
description screen. Select Internal com¬ 
mand, and click Next. Select \bmonitor\ 
reboot, and click Next. Click Finish to reboot 
the TestMigration VM. 

Once the machine is rebooted, release 
control of the device, and delete the virtual 
machine from the device database. Log on 
to the virtual machine, and install the Virtual 
Machine Additions to get keyboard and mouse 
integration and better performance. Complete 
any remaining configuration modifications, 
and test the virtual machine connectivity and 
performance to ensure that it's running as 
expected. Once the virtual machine testing 
is complete, migrate TestMigration from the 
MobileP2V solution to the production Virtual 
Server host. Once you do that, you can backup 
and delete the source system disk images from 
the ADS image store. 

Now you have a fully functional and 
tested MobileP2V solution that you can take 
to any part of your organization and perform 
a P2V migration. So go virtualize! 

Author's Note: The instructions for the migra¬ 
tion have been adaptedfrom the Virtual Server 
2005 R2 Resource Kit from Microsoft Press 
co-authored by Janique Carbone and me. ^ 
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WINDOWS SERVER 
2008 INSTALLATION 


Explore the ins 
and outs of 
image-based 
installation 


IT’S A SNAP! 

BY JOHN SAVILL 


Solutions 




PROBLEM: 

Installing and configuring Windows 
Server 2008 


SOLUTION: 

Choose to manually install or 
create an autounattended.xml file 
to roll out Server 2008. 


WHAT YOU NEED: 

Server with 512MB of memory; 
Server 2008 


DIFFICULTY: 

•oooo 


SOLUTION STEPS: 

1. Determine whether to perform a 
clean installation or an upgrade. 

2. Choose to manually install or 
automate installation. 

3. Determine whether a full 
or Server Core installation is 
appropriate. 

4. Install Server 2008. 

5. Configure the server for its role 
in your environment. 


T he Windows Server 2008 installation 
process is a very different beast than 
what youVe experienced in the past 
when you've rolled out a new version of Win¬ 
dows Server. On the surface, the installation 
process might appear to be similar to what 
you've done before—but with fewer ques¬ 
tions to answer—when in fact, something 
very different is happening under the covers. 
The speed of the installation will tip you off: 
It's quick! 

Like Windows Vista, Server 2008 is an 
image-based installation from a Windows 
Imaging Format (WIM) file on the Server 
2008 DVD. And just as the Vista DVD contains 
all the versions of that OS (i.e., Home Basic, 
Home Premium, Ultimate, and Business), 
the Server 2008 DVD contains the main ver¬ 
sions of Server 2008: Windows Server 2008 
Standard, Windows Server 2008 Enterprise, 
and Windows Server 2008 Datacenter edi¬ 
tions. All the versions fit on one DVD because 
WIM is a single-instance storage format. That 
is, because the various versions contain the 
same basic set of files, all the versions can be 
stored in one image that takes up only slightly 
more space than the image of a single version. 
Each Server 2008 DVD supports only one 
architecture, so you'll have a different DVD 
for x86 (32-bit) than forx64 (64-bit). Let's walk 
through a typical installation scenario. 

What to Expect 

When you install Server 2008, you first need 
to decide whether to perform a clean instal¬ 
lation or an upgrade. Usually, a clean instal¬ 
lation is the best option, and that's what this 
example will show. (If you choose to upgrade, 


see the sidebar "What You Need to Know 
About In-Place Upgrades.") 

You can deploy Server 2008 using Win¬ 
dows Deployment Services (WDS), which 
sends the installation environment over the 
network and lets you easily automate con¬ 
figuration with an unattended answer file. 
But to really see the ins and outs of the instal¬ 
lation process, let's install Windows Server 
2008 the old-fashioned way—manually. 

Insert the Server 2008 DVD into your 
system's optical drive, and choose to boot 
from media (i.e., the DVD), which will load 
the Windows Preinstallation Environment 
(WinPE) from the bootwim file on the DVD. 
Because Server 2008 is an image-based 
installation, the system needs an environ¬ 
ment on which to lay the image, in addition 
to other functionality (e.g., the capability to 
partition the hard disk). WinPE provides 
that environment. 

Once WinPE loads onto the system, the 
installation process immediately makes 
sure that the system has at least 512MB of 
memory; if the system has less memory, the 
installation won't proceed. If the system has 
enough memory, the installation process 
prompts you to select the language, time and 
currency formats, and keyboard or input 
method you want to use in the installation. 
The default is U.S. English, but you can 
modify the settings to fit your environment. 

Next, you see a window that gives you the 
option to "Install now" or "Repair your com¬ 
puter." Selecting "Install now" will launch the 
installation routine, setup.exe. At any time 
while setup.exe is running, you can press 
Shift+FlO to open a command window in 
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case you need to perform any other func¬ 
tions, such as running a script to add a utility 
partition or troubleshoot a problem instal¬ 
lation; as long as the command window is 
open, the installation routine won't reboot 
the server. The repair option provides access 
to the Windows Recovery Environment and 
some automated repair options. These repair 
capabilities are very useful, so it's a good idea 
to keep the Server 2008 DVD handy for future 
use. (Note that you can also create a repair 
disk at any time from within Server 2008 
after you install the Windows Backup Server 
feature; creating a repair disk is an option of 
the backup feature.) 

So click "Install now," and the installa¬ 
tion process displays a window that asks 
you to enter your 25-character product key, 
which is linked to a specific version of Server 
2008. You can enter the product key, or you 
can leave the field blank and just click Next, 
which will trigger the confirmation dialog 
box that you see in Figure 1, page 52. 

Why might you choose not to enter your 
product key at this time? Maybe you want 
to test the OS for 30 days, or maybe you just 
prefer to copy and paste the product key 
from a file after you install the OS. When 
you activate Server 2008, which you must do 
within 30 days after installing the OS, just be 
sure that the version installed on your system 
matches the version you're licensed for. If 
not, you'll face two options: You can pur¬ 
chase a product key for the version installed 
on your machine (which could be costly if, 
for example, your installed version is the 
Enterprise edition and your product key is 
for the Standard edition), or you can reinstall 
the version that matches your product key 
(which might cause you to lose any data, 
information, and programs placed on your 
system since you last installed the OS). 

For this example, click No in the confir¬ 
mation dialog box. A new window opens 
and asks which edition of Server 2008 you 
want to install. Because you didn't enter a 
product key previously, the window displays 
all the versions of Server 2008 that are in the 
image file, along with a confirmation check 
box that states, "I have selected the edition of 
Windows that I purchased," as Figure 2, page 
52, shows. 

If you had previously entered a product 


key, you'd see just two versions of the OS 
to choose from: the Full Installation and 
the Server Core Installation versions for the 
edition of the OS the product key identified. 
Server Core is a “lite," minimal-footprint 
server installation option that provides a low- 
maintenance, limited-functionality server 
environment. Server Core offers only basic 
components of Server 2008—not even the 


Windows Explorer shell, but just a command- 
prompt user interface—and is capable of 
supporting core server roles such as file server, 
DHCP server, print server, and DNS server. 
Server Core is not a platform for applica¬ 
tion development or application serving, for 
example, because it doesn't include the .NET 
Framework. So, why would you choose the 
Server Core option? With only minimal Win- 


What You Need to Know About 



w: 


f indows Server 2008 provides an in-place upgrade option for installing the new OS on 
an existing server. Unlike a clean installation, an in-place upgrade keeps files, settings, 
and programs intact while the OS is upgraded. In general, an upgrade is a more complex 
process than a clean installation, and it requires some careful preparation (e.g., reviewing 
application compatibility information, backing up the server’s data and configuration infor¬ 
mation, including boot and system partitions and system state data) ahead of time. 

The Server 2008 upgrade option is supported from Windows Server 2003 SPI or later 
versions of the OS but only in limited scenarios. Cross-architecture upgrades are not sup¬ 
ported. For example, you can upgrade a 32-bit Windows 2003 server to 32-bit Server 2008 
and an x64-based Windows 2003 server to x64-based Server 2008, but you can’t upgrade 
a 32-bit Windows 2003 server to x64-based Server 2008. Upgrades from Windows 2003 
for Itanium-Based Systems to Server 2008 for Itanium-Based Systems are not supported, 
and you cannot upgrade from any OS to a Server 2008 Server Core installation; Server Core 
is always a new installation or an in-place upgrade on itself. No in-place upgrade path exists 
from Windows Server 2000 or Windows NT Server to Server 2008. 

Upgrades are really only practical for Windows 2003 systems running OS components 
and nothing else. Just because the OS can be upgraded doesn’t mean that the software run¬ 
ning on the server will support an OS upgrade process. For example, Exchange Server 2007 
SPI will run on Server 2008, but Microsoft will not support an in-place upgrade of x64-based 
Windows 2003 to x64-based Server 2008 with Exchange installed. I had an antivirus program 
that ran fine on a Windows 2003 system cause a problem. After I upgraded to Server 2008, 
the antivirus software wouldn’t let the server boot because the driver was unsigned. 

The reasons for such problems are numerous, but a key reason is that Server 2008 is an 
image-based installation. With Server 2008, you cannot “upgrade” in the traditional sense of 
replacing OS files and updating components. Instead, you essentially have to break down the 
existing system into “the OS” and “everything else” (e.g., files, registry settings, component 
registration), shove all of it into a backup folder, lay down the Server 2008 image on the 
system, put back the “everything else,” and finally look at the installed Windows components 
and work out which Server 2008 roles and features those components equate to. 

To further complicate matters, some server roles require special handling. For example, 
if you want to upgrade a Windows 2003 domain controller (DC) to Server 2008, you must 
first prepare the Active Directory (AD) forest and domain for the introduction of a Server 
2008 DC. To do this, you use the Adprep command-line tool (located on the Server 2008 
installation disk in the \sources\adprep folder), which extends the AD schema and updates 
permissions as necessary so that the domain can support a Server 2008 DC. (For more 
information about the Adprep tool, see technet2.microsoft.com/windowsserver2008/en/ 
Iibrary/aa923ebf-de47-494b-a60a-9fce083d2f69l033.mspx?mfr=true.) 
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dows functionality, many product updates 
will not need to be applied to Server Core 
systems; consequently, Server Core systems 
require less maintenance. Server Core sys¬ 
tems also use fewer resources (e.g., disk 
space), and with no GUI, they're less open to 
security risks. 

Once you select the Server 2008 version 
you want to install and click Next, the licens¬ 
ing agreement is displayed. As always, read it 
thoroughly to ensure that you agree to all the 
conditions, select the “I accept the license 
terms" checkbox, and click Next. 

The next window prompts for the type of 
installation you want to perform: Upgrade 
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Figure 3: 

Reminder to change the 
password before initial 


logon 


or Custom (advanced). 
Because you're doing a 
clean installation from 
media, the Upgrade 
option is disabled (i.e., 
grayed out), and you 
must select Custom 
(advanced). Note that 
if you run the instal¬ 
lation process from 
within Windows Server 
2003, both options will 
be enabled. 

A new window 
opens that asks one 
final question: Where 
do you want to install 
Windows? A dialog 
box displays partitions 
and unallocated space. 
You can add or remove 
partitions, reformat a 
previously used hard 
drive before install¬ 
ing Server 2008, and 
load additional drivers 
as needed. Select the 
partition for the instal¬ 
lation, then click Next 
to install the OS. If the 
partition isn't format¬ 
ted, the installation process quickly formats 
the partition as NTFS and proceeds. 

That's it. You're done—no more questions. 
You can go have a drink. But don't go too far! 
Because the installation is image-based, it 
doesn't take long to complete. A window 
displays the progress of the installation, and 
the server reboots twice during the process. 

Configuration 

So, what about all the 
things you never config¬ 
ured during installation: 
server name, time zone, 
administrator password, 

IP configuration? A 
server has a lot of default 
settings, DHCP-assigned 
IP address, automatically 
assigned server name, 
and so forth that you 
need to configure after 
the installation process 
has completed. This is 


starting to sound worse than what you had 
to do previously to install Windows Server! 
In the past, you installed and configured the 
OS in one process. Now, do you have to root 
through different Control Panel applets to 
configure the server? Fortunately, no. 

As Figure 3 shows, the first thing you see 
after the installation is a window that tells you 
the user's password must be changed before 
logging on for the first time. In the Server 
2008 installation process, the Administrator 
account is created with a blank password, so 
the first action is to set a new Administrator 
password. Once you've set the new Admin¬ 
istrator password, you are logged on as the 
Administrator. 

If you ever had to install Windows Server 
2003 with Service Pack 1 (SP1) slipstreamed 
after installation, you know that the Post 
Setup Security Updates (PSSU) Wizard 
forced you to patch your server and set an 
update schedule. With Server 2008, you get 
a beefed-up PSSU-type process in the form 
of the Initial Configuration Tasks (ICT) 
interface. 

As you can see in Figure 4, the ICT guides 
you through all the main configuration items 
for a server with a new installation of Server 
2008. The current values are displayed, and 
clicking an item opens the appropriate Con¬ 
trol Panel applet for the value you want to set. 
For example, when you click the icon to set 
the computer name and domain, the Control 
Panel System applet opens automatically. 

In Server 2008, Windows Firewall is 
enabled and Remote Desktop is disabled 
by default so that the server is secure from 
the start. Furthermore, Windows Firewall 
is fully integrated with the OS. Server 2008 
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offers several server roles (e.g., DHCP server, 
DNS server, domain controller) and features 
(e.g., backup, clustering) that help the server 
perform the role you select. (You add roles 
and features in section 3 of the ICT interface 
via the “Add roles" and “Add features" links.) 
When you enable a role and its supporting 
features, the various ports required by the role 
and its features are opened automatically in 
Windows Firewall; no additional configura¬ 
tion is required. (To maintain the Windows 
Firewall settings over time, you'll want to use 
the Security Configuration Wizard—SCW— 
to create templates that let you continuously 
monitor Windows Firewall.) 

Once you've configured the server, select 
the “Do not showthis windowatlogon" check 
box and click Close. Ifyou wantto perform fur¬ 
ther configuration or role and feature main¬ 
tenance, use Server 2008's new role-based 
management tool, Server Manager. 

Beyond Manual 
Installation 

So that's a walkthrough of the basic Server 
2008 installation experience. As you've seen, 
you don't really have much to do, but unless 
you need to install the OS on just a few serv¬ 
ers, you'll want to automate the installation 
process. 

To create an unattended answer file for 
use in an automated process, first download 
Microsoft's free Windows Automated Instal¬ 
lation Kit (www.microsoft.com/downloads/ 
details.aspx?FamilyID=c7d4bc6d-15f3-4284- 
9123-679830d629f2&DisplayLang=en). The 
WAIK contains the Windows System Image 
Manager application, which you'll use to 
create your answer file. You can use the 
answer file with services such as Windows 
Deployment Services to automate your 
installations, or you can name the answer 
file autounattend.xml, place it on a floppy 
disk or USB drive, and insert it as the Server 
2008 installation process begins. The process 
will read and use the answer file to automate 
the installation. 

The WAIK documentation details the 
minimum requirements you need to specify 
for an automated installation. Web Listing 
1 (www.windowsitpro.com, InstantDoc ID 
98081) provides an example of an autounat- 
tend.xml file that will partition the disk and 
install the full version of Server 2008 Enter¬ 
prise. To use this file, you need to set the 


product key and also the local Administra¬ 
tor password value via the Windows System 
Image Manager as the local Administrator 
password is encrypted. (Note that there are 
other options—for example, a key manage¬ 
ment system—that don't require you to 
hand out the product key in an autounat- 
tend file.) ^ 
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6 New Security Features in IIS 7.0 

How they can help you get control over your Web server and 
reduce your attack surface 
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W hen you host a Web server, you put a part 
of your organization on display and open 
it up to the poking and prodding of the 
anonymous masses. Remotely exploitable flaws in the 
Web server platform can be disastrous. Case in point: 
Microsoft Internet Information Services (IIS) 5.0 left a 
trail of lost productivity and revenue. 

However, Microsoft redesigned IIS with security as a 
top priority. The result was IIS 6.0, which is widely held 
as the most secure commercial Web server on the market 
(as indicated by the low number of Secunia advisories 
about it—three—se e secunia.com/product/1438) . 

IIS 7.0 builds on the secure design of IIS 6.0 and has 
been modularized so that individual features can be 
removed entirely, thus reducing the overall attack surface 
of your Web server. Application pools, introduced in IIS 
6.0 as a way to isolate applications from each other (and 
from the Web server process), are now more effectively 
sandboxed. New delegation features let site owners 
manage their sites without elevated privileges. Request 
filtering (aka URLscan) is now built into the server. And 
administrators can define rules right in IIS 7.0 that control 
which users have access to which URLs. 

These features are among the security-related 
enhancements in IIS 7.0. They're worth a closer look, 
and they might even change the way you think about 
managing and configuring Web sites. 


This Security 

BBEQUIBEDREADING 

sponsored by 

Microsoft 


Application Sandboxing 

Consider a market research company hosting surveys or 
other low volume sites for competing companies on the 
same box. Or consider a server that hosts a payroll appli¬ 
cation used by a small number of users and a homegrown 
portal used companywide. In both cases it's crucial that 
these applications running on the same servers be iso¬ 
lated from each other. 

Web applications run in worker processes. Applica¬ 
tion pools map Web applications to worker processes. A 
specific worker process is used only to run applications 
that are part of the same application pool. In IIS 6.0 and 
IIS 7.0, the worker process is w3wp.exe. 

In IIS 6.0, new Web sites and applications are put 

r into the same application pool. This default applica¬ 
tion pool runs under the NetworkService account. 
As an administrator, you can create new application 
pools manually and assign Web apps to those pools. 
By default, those application pools will also run under 
the NetworkService account, which can lead to an 
undesirable runtime scenario as all Web applica¬ 


tions run with the same permissions. An application in 
app pool A can read the configuration of app pool B and 
even access the content files of applications assigned to 
app pool B. Although it's easy enough to create new app 
pools and to configure custom accounts for each, manag¬ 
ing those accounts over time is cumbersome. 

With IIS 7.0, a new application pool is created auto¬ 
matically for each Web site. By default, that application 
pool is configured to run as the NetworkService account. 
But when the worker process is created, IIS 7.0 injects a 
special SID unique to the app pool into the NetworkSer¬ 
vice security token. IIS 7.0 also creates a configuration 
file for the worker process and sets the file's ACL to allow 
access only to the unique SID for the app pool. The result 
is that an application pool's configuration can't be read by 
other application pools. 

As an additional precaution, you can change the ACLs 
on content files to provide access to the unique app pool 
SID instead of NetworkService. This will prevent an appli¬ 
cation in app pool A from reading the content files of an 
application in app pool B. 

IUSR and IISIUSRS 

Tangentially related to process identity is the question of 
which identity the server uses for anonymous requests. 
Previous versions of IIS relied on a local account, IUSR_ 
servername, as the identity for anonymous users. IIS 7.0 
uses a new built-in account called IUSR. You can't log in 
locally with the IUSR account, so it doesn't have a pass¬ 
word (which means there are no risks due to attackers 
guessing the password). The IUSR account always has 
the same SID so ACLs are transferrable between Win¬ 
dows Server 2008 machines (as well as Windows Vista 
machines). And if the IUSR account isn't appropriate 
for your scenario (e.g., if anonymous requests require 
authenticated network access), you can turn off the 
anonymous user account and IIS 7.0 will use the worker 
process identity for anonymous requests. 

Also new is the built-in IIS_IUSRS group. This group 
replaces the IIS_WPG group. In IIS 6.0, the IIS_WPG group 
provides the minimum rights needed to run a worker pro¬ 
cess, and you must manually add an account to this group 
to provide a custom identity for a worker process. The 
IIS_IUSRS group provides a similar role for IIS 7.0, but you 
don't explicitly add accounts to this group. Instead, IIS 7.0 
automatically enrolls accounts in IIS_IUSRS when they're 
assigned as the identity for an application pool. And as 
with the IUSR account, the IIS_IUSRS group is built-in, 
so it always has the same name and SID on all Server 


54 Windows IT Pro APRIL 200^ 


We’re in IT with You 


www.windowsitpro.com 









Windows Server 2008: Security Overview 


Use the resources in this learning path to better understand 
how Windows Server 2008 is the most secure Windows Server 
ever, helping to protect networks with a hardened security 
platform. Plus, learn how Windows Server 2008 helps reduce 
network downtime by enforcing compliance with customized 
health policies. 


Register today: 
www.microsoft.com/technet/security/ 










Learning Paths for Security 


Critical Security Information for IT Professionals 


Learning Paths for Security is an online security 
curriculum where IT professionals can access the latest 
in security technology information, from the next big 
thing to how to solve today's security issues. Information 
is arranged by topic, technical depth (Level 100 
through 400), and stage of the security lifecycle, 
so it's easy to find the information applicable to your 
specific situation and level of knowledge. 



GUIDES 

Download and print these white papers, 
resource kits, and articles to read and save 
for reference. 

WEBCASTS 

From Q&A sessions with experts on 
Microsoft® technology, the industry or 
both; to technical and product demos, 
these 60-90 minute broadcasts are avail¬ 
able online so you can watch at any time, 
from any place. 


ONLINE SEMINARS 

These compilations of materials from a live 
event (including presentations, videos, and 
tools) are a quick way to get up-to-date on 
a topic of interest. 

VIRTUAL AND 
HANDS-ON LABS 

Test Microsoft software and servers in a 
sandbox environment. 


TOOLS 

Download free applications or software 
programs to help accomplish specific tasks 
you need to complete. 


Learning Paths for Security can be found at: 


www.microsoft.com/technet/security/lea rn i ng 

■ 


© 2006 Microsoft Corporation. All rights reserved. Microsoft is a registered trademark 
of Microsoft Corporation in the United States and/or other countries. 












0REOUIREDREADINGI ns 70 


— 


I > 3te > 3efet/t Weft ^ 


a, 


■'I r4 - 


is i& 

Vj Ear E H.Jj; 

£ T-, wpjfrtNHWr'flC (VrtHfl 
^ lookato''Ports 
R jt S'ss 

Q 0 DiriJflViitEill 

& ♦Kww-_-rr‘: 


Default Dccun^nt 


Um frw %&cjre to 3KJ^ ^ KtoJ: tel*? to r^yr ,■ hen a d*"i: Som 
rip; r-KLVfI ft iUf 3 ^ if 1 : n :/ 

_Jj Wrf * _ I_ 

pufttjsp^ .xv 


Jrfd„ 


PjMrt To [rt-o^id 


Figure 1: Configuring default document at the Web site level using feature delegation 


<system.webServer> 

<defaultDocument> 

<files> 

<clear /> 

Odd value="profi Le.aspx" /> 
</fiLes> 

</defaultDocument> 

<directoryBrowse enabled= ,, true" 
</system.webServer> 


/> 


Figure 2: IIS 7.0 Configuration Settings 


2008 installations, making ACLs and other 
configurations completely portable between 
Server 2008 machines (and Vista machines). 

Feature Delegation 

Not every Web server setting really needs 
to be protected by admin rights. Some set¬ 
tings are simple application-level decisions 
that can be made by developers or product 
managers. For example, in IIS 6.0 you need 
admin rights to change the default document 
for a Web application. But normally is there 
really any reason that the ability to change 
defaultaspx to profile.aspx should require 
administrator rights? 

In IIS 7.0, configuration decisions can 
now be delegated to site or application own¬ 
ers. IIS 7.0 uses a newXML-based configura¬ 
tion system inspired by ASP.NET. At the site 


<sectionGroup name="system.webServer"> 

<section name= M asp" overrideModeDefauLt="Deny" /> 
<section name="caching" overrideModeDefault="Deny" /> 
<section name="cgi M overrideModeDefauLt="Deny" /> 
<section name="defauItDocument" 
overridel v lodeDefauLt= ,, ALLow" /> 

<section name="directoryBrowse" 
overrideModeDefault="AlLow" /> 


Figure 3: 


Default Settings in Override Mode Deny and 
Override Mode Allow 


and application level, both IIS 7.0 and ASP. 
NET configuration settings are found in 
the same web.config files. 

Delegated settings such as the default 
document can be changed at the Web site 
level or application level by editing the 
web.config file directly or using the IIS 
Manager GUI, as Figure 1 shows, which 
updates the web.config for you. In the web 
.config file, the system.webServer section 
contains the IIS 7.0 configuration settings, 
which Figure 2 shows. 

The sections that are valid within 
<system.webServer> are defined in a special 
configuration file called applicationHost. 
config. In applicationHost.config, each sec¬ 
tion has a default delegation mode. In the 
example in Figure 3, the default document 
and directory browsing settings can be 
overridden but not the asp, caching, or cgi 
sections. 

But what if there is a good reason to 
prevent a Web site owner from changing 
the default document? No problem: IIS 7.0 
lets you lock configuration elements so they 
can't be set or overridden in web.config files. 
In the case of the default document, you can 
globally change the default override mode 
to Deny or you can explicitly set the override 
mode to Deny for specific locations (using 
location tags). The IIS team recommends 
asserting these kinds 
of changes in location 
tags, as Listing 1 shows. 
Feature delegation 
can be a great boon 
to a busy administra¬ 
tor because it safely 
empowers Web site 
and application own¬ 
ers to configure aspects 
of the Web server that 
affect only their sites 
and applications. 


Administration 
Delegation 

Many admins find it expedient to just 
give out admin access to whoever needs 
to apply a change to a site or applica¬ 
tion. This, of course, is a tremendous 
security risk. Unfortunately, the choice 
has been difficult: either liberally assign 
admin rights or impede updates by 
becoming the single point of adminis¬ 
tration. With IIS 7.0, server admins can 
grant administration rights for a specific 
Web site or application to one or more users 
without elevating user privileges. 

In IIS Manager, which Figure 4 shows, 
users can connect to an IIS 7.0 server using 
Windows credentials or credentials specific 
to IIS Manager. The beauty of credentials 
specific to IIS Manager is that you provide a 
very specific and limited set of rights to a user: 
IIS Web site administration rights. The cre¬ 
dentials are useless outside of IIS Manager. 

For remote use, a standalone version 
of IIS Manager is available for Windows 
Vista, 2003, and XP. Before you can connect 
remotely with IIS Manager, remote manage¬ 
ment must be explicitly enabled on the Web 
Server by doing the following: 

1. Install the Web Management Service 
(WMSVC) 

2. Enable remote management via IIS 
Manager on the Web server (or via the regis- 
try) 

3. Start the Web Management Service 

Firewall rules or remote access policies 
can make it difficult to use remote manage¬ 
ment tools. For this reason, IIS Manager 
works over HTTPS, so it's both secure and 
firewall-friendly. By default, the Web Man¬ 
agement Service uses a self-signed certificate 
and listens on port 8172. 

Microsoft offers IIS 7.0 Manager for 
remote management a twww.iis.net/go/1524. 
For additional resources (including detailed 
configuration instructions), search for IIS 
7.0 remote administration at iis.net. You can 
also find more information about the new IIS 
features at this Microsoft site. 

Built-In Request Filtering 

If you've administered IIS servers, you're 
probably already familiar with UrlScan, a 
downloadable tool for IIS 4.0 and higher that 
restricts the types of requests that IIS will 
service. The intent behind request filtering is 
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Listing 1: Using Location Tags to Set Override Mode to Deny 


<location path="DefauIt Web Site" overrideMode="Deny"> 
<system.webServer> 

<defaultDocument> 

<fi les> 

<clear /> 

odd va Lue="default .aspx" /> 

</fiLes> 

</defau LtDocument> 

</system.webServer> 

</Location> 


to protect your Web server from potentially 
malicious requests. 

In IIS 7.0, UrlScan has been enhanced 
and bundled with the Web server in the 
Request Filtering Module. The Request Fil¬ 
tering Module rejects requests based on 
configurable criteria. For example, the mod¬ 
ule can reject double-encoded requests or 
requests of unusual size (such as large POST 
payloads or URLs that are too long). The 


Listing 2: URL Authorization Rules Syntax 


clocation path="Reporting"> 

Oystem. webServer> 

Oecuri ty> 

<authorization> 

<remove users="*" roles="" verbs="" /> 

Odd accessType="ALLow" roLes="Managers" /> 

Odd accessType="Deny" users="*" /> 

</authorization> 

</security> 

</system.webServer> 

</Location> 

together into directories with names like 
Administration, Reporting, or Moderation. 
Properly securing these sections to prevent 
unauthorized access has been cumbersome 
at best with previous versions of IIS. Even 
with the URL authorization feature built into 
ASP.NET, you still have to deal with non-ASP 
.NET content such as PDF or Excel files that 
need to be protected. And ASP.NET URL 


to define their own request filtering rules in 
web.config files, which wasn't possible with 
UrlScan and IIS 6.0. For more information 
about request filtering in IIS 7.0, see the 
Security Pro VIP article “Unleash the Power 
of IIS 7.0's Security Features," InstantDoc ID 
96999. 

URL Authorization 


Request Filtering Module can also reject 
requests for file types, paths, or HTTP verbs 
that your site doesn't support. 

With IIS 7.0, request filtering configura¬ 
tion can be delegated, allowing site admins 


Web applications often have restricted areas 
to which only certain users have access. Only 
a manager, for example, is allowed to access 
performance reviews in an HR system. These 
restricted pages are commonly grouped 


authorization rules are managed by editing 
XML, which can be tedious. 

In IIS 7.0, ASP.NET URL authorization is 
still available, but in addition, a URL authori¬ 
zation feature is provided by the Web server 
itself. Now access to all content types (e.g., 
static, PHP, ASP) can be controlled based on 
user, group, and URL. For example, you can 
easily restrict access to anything under the 
Reporting path to only those users belonging 
to the Managers group—without touching 
the file ACLs. Figure 5 shows URL authoriza¬ 
tion rules configuration in IIS Manager. 

URL authorization rules are persisted in 
the system.webServer section of web.config 
files with a slightly different syntax than ASP 
.NET authorization rules, as Listing 2 shows. 

Since the authorization rules are con¬ 
tained entirely in your configuration files 
(local web.config), they are easily transferred 
between applications and servers. And the 
URL authorization in IIS 7.0 works with Win¬ 
dows users and groups as well as ASP.NET 
users and roles. 

Building on IIS 

IIS 7.0 builds on the solid security legacy of 
IIS 6.0, and it retains the core architecture 
of IIS 6.0 with the app pool / worker process 
isolation model that has proven to be very 
effective. Although the new modular archi¬ 
tecture changes receive a lot of the attention 
when discussing IIS 7.0 security, automatic 
application sandboxing, feature delegation, 
and URL authorization make it easier than 
ever to secure your Web server. ^ 

InstantDoc ID 98393 
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Figure 5: URL Authorization rules configuration in IIS Manager 
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Customize 
Search Features 

in Microsoft Office 
SharePoint Server 2007 

S earch capabilities in Microsoft Office SharePoint Server (MOSS) 2007 include a host 
of powerful features suitable for a large enterprise intranet or extranet. Although Win¬ 
dows SharePoint Services (WSS) 3.0 also includes many of these features, only MOSS 
provides the easy customization of the search scope and UI. SharePoint administrators can 
customize MOSS to meet many specific business needs. 

With MOSS, you can search a wide array of sources in the network, such as Web sites, file 
shares, and Microsoft Exchange Server public folders—not to mention site contents within 
the SharePoint server itself. The MOSS standard site collection feature pack offers two search 
enhancements, an Advanced Search Web part and the Search Center site template, that Share- 
Point administrators can use to fully customize the site's UI and search behavior. SharePoint 
offers two display options for search results: through a search Web service or through the 
built-in search results page. The search Web service, which lets you access results from client 
applications outside of the context of SharePoint, is development-intensive and beyond the 
scope of this article. Managing search scopes and accessing search results from within the 
SharePoint UI, however, doesn't require a developer's skill set—although it isn't necessarily 
intuitive or straightforward. 

Customize Search Scope 

Because SharePoint can crawl contents from a wide array of sources, you use search scopes to 
let users search a specific subset of the workspace's entire contents. Targeted scopes help you 
get better search results while boosting overall search performance. 

You customize search scopes in MOSS in the Shared Services Administration section 
of SharePoint Central Administration. Shared Services are applications that run behind the 
scenes on their own Microsoft IIS Web applications. These services can be configured from 
a single place and shared for use by SharePoint sites on multiple MOSS and WSS servers— 
hence the name. The MOSS search engine is an example of Shared Services. Keep in mind 
that someone with administrative privileges in the regular SharePoint content sites won't 
necessarily have access to Shared Services Administration. 

By default, MOSS has two out-of-the-box search scopes: 

• People—searches for all content in the My Sites area of the SharePoint farm. 

• All Sites—searches for content in the entire SharePoint farm. 

These scopes both cover a rather broad range of sites. You'll have to create your own scopes 
to target more specific areas of your content. Take, for example, a document library list named 


MOSS gives 
site admins 
the tools 
to target 
searches to 
users’ needs 

by Anup Kafle 
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Catalog, with various custom columns that 
track document metadata. In the default 
setup scenario, if you want to search for 
content only within this document library, 
you would have to navigate to that document 
library, then select This List: Catalog in the 
search scope drop-down menu. 

The first item in the drop-down menu is 
specific to each page. If you're somewhere 
else on the site, you'll see different options 
on the list—but you won't see the This List: 
Catalog scope. The solution is to add a new 
search scope that appears in the search scope 
list on every page. Here are the steps to follow 
to create the new scope: 

1. Navigate to the site's Shared Services 
Administration home page. 

2. In the Search section, click Search set¬ 
tings. 

3. In the Scopes section, click View 
scopes. 

4. Click New Scope on the toolbar. 

5. On the Create Scope page, enter a 
tide—this is the text that will appear in the 
search scope drop-down menu. 

6. In the Target Results Page section, 
select Specify/ a different page for searching 
this scope and specify a new page name, such 
as catalogresults.aspx. If the .aspx page you 
specify doesn't exist yet, you can create it by 
accessing the Site Actions menu of the target 
SharePoint site. Click OK. 

Now that you've created a new search 
scope, you need to specify the content this 
scope should query when searching by add¬ 
ing a rule for the search scope, as follows: 


1. On the View Scopes page, click the 
Add rules link for the search scope you just 
created. 

2. On the Add Scope Rule page, in the 
Scope Rule Type section, click Web Address. 

3. In the Web Address section, enter the 
path to the document library under Folder. 

4. In the Behavior section, select Include. 
Click OK. 

You've now specified a content source for 
the custom search scope. The next step is to 
have SharePoint display this custom search 
scope in the search drop-down menu. This 
configuration is done through the SharePoint 
site's Site Settings page: 

1. Navigate to the top-level SharePoint 
site home page 

2. Select Site Actions, Site Settings, Modify 
All Site Settings. 

3. Under Site Collection Administration, 
click Search scopes. 

4. Click the Search Dropdown link. 

5. On the Edit Scope Display Group page, 
select the scope you created earlier. As Figure 
1 shows, you can also change the order of 
search scopes on the list and set the default 
search scope. Click OK. 

Schedule the Search 
Crawl 

The SharePoint search engine crawls the 
content in the search scope every so often. 
The frequency of this crawl is controlled by 
a search schedule. By default, SharePoint is 
set to crawl only once in a 24-hour period 
for the default search scope content. After 
you've defined your cus¬ 
tom search scope, you 
need to set up a crawl 
schedule for it. You can 
set up separate sched¬ 
ules for full crawls, which 
build an index of all site 
content, and incremental 
crawls, which index only 
changes to content since 
the last crawl. 

A full crawl takes 
longer and is more 
resource intensive on 
the server than a partial 
crawl. Therefore, it's best 
to schedule fewer full 
crawls than incremental 
crawls and to schedule 


them during non-peak hours. A partial crawl, 
however, doesn't detect all types of changes. 
For example, when a row item on a Share- 
Point list is changed or deleted, a partial 
crawl won't find the change because it can't 
recognize changes to .aspx pages. A full crawl 
is required to re-index the list data after such 
changes. 

You set up custom crawl schedules 
through the site's Shared Services Adminis¬ 
tration. Follows these steps: 

1. Navigate to the Shared Services 
Administration home page and click Search 
settings. 

2. Click Content sources and crawl sched¬ 
ules under Crawl Settings. 

3. On the Manage Content Sources page, 
right-click the content source for which you 
want to schedule a crawl, then click Edit. 
You can also define a new content source by 
clicking the New Content Source button on 
the toolbar. 

4. On the Edit Content Source page, in 
the Crawl Schedules section, click the Create 
schedule link below either the Full Crawl or 
Incremental Crawl drop-down list. 

5. In the Manage Schedules dialog box, 
fill in the crawl schedule details and click 
OK. For example, to run the crawl every two 
hours throughout the day, select Daily in 
the Type section; under Settings, enter 1 in 
the Run every box so it runs every day; select 
the Repeat within the day check box, then 
enter 120 in Every as the number of minutes 
between crawls and 1440 in For as the num¬ 
ber of minutes for this cycle to repeat. 

Customize the 
Search UI 

Adding a custom search scope to the search 
drop-down menu is an example of search UI 
customization. MOSS provides numerous 
out-of-the-box features, such as Web parts 
and site templates, that let you customize the 
UI of both search and results pages. Search 
Center is a new site template dedicated 
to search functionality; it's embedded with 
many standard search-related Web parts. 

The Search Center site template comes 
in two flavors: Search Center Lite and Search 
Center with Tabs. Search Center Lite is avail¬ 
able in site collections by default where 
the Office SharePoint Server Publishing 
feature isn't activated. Search Center with 
Tabs is available in site collections with the 
publishing feature activated; this version 
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lets you create a custom UI that includes 
tabs with different searches. You can see a 
list of both activated and available features 
of a site by going to the site collection's 
administration page and clicking Site collec¬ 
tion features. The Search Center is usually 
a sub-site under the site collection with the 
URL http://<sitecollectionaddress>/search 
center/. In a publishing site, you can also 
create your own Search Center sub-site by 
using the Search Center with Tabs template 
on the Enterprise tab in the New SharePoint 
Site page, as Figure 2 shows. 

Customize Search Tabs 

You use tabs to group search queries and 
results by scope. By keeping each scope in its 
own tab, you can also create a different search 
form for each scope. Users access a custom 
search form to query by fields or values that 
apply only to a particular scope, and the 
results displayed pertain only to that scope. 

By default, the Search Center contains 
two tabs, All Sites and People. These tabs 
appear on the Search Center home page. The 
All Sites tab searches all SharePoint content 
sites; the scope for People is limited to My 
Sites. If you want to add a new custom tab, 
follow these steps: 

1. On the Search Center home page, click 
Site Actions, Edit Page to reveal the Web parts 
that form this search page. 

2. Click Add New Tab. 

3. Enter a tab name (e.g., Catalog) and 
page (e.g., catalog.aspx), then click OK. 

4. Click Site Actions, Create Page. 

5. Create a new .aspx page with the name 
you used in step 3 using the (Welcome Page) 
Advanced Search page layout template, then 
click Create. 

6. In the Middle Upper Left Zone (or a 
different zone if you prefer), click Add a Web 
Part. 

7. In the Add Web Parts dialog box, select 
Advanced Search Box, then click Add. 

You've added a new search tab named Cata¬ 
log to your Search Center, and it includes the 
Advanced Search Web part. 

Customize Advanced 
Search 

Earlier, we created a custom scope that you 
could access from anywhere in the site to 
search for contents only within the Catalog 
document library. Now, imagine this library 
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has a custom column 
named Color Category. 

We want users to be able 
to search for documents 
in this library that are 
tagged with a particular 
color. With the standard 
search box, if the user 
searches for a color (e.g., 
green), the results include 
all documents that have 
the word green anywhere 
in the document body or 
metadata. But what if the 
user wanted to search 
only those documents 
that are tagged as green 
in the Color Category 
field? The Advanced Search Web part, with 
some customizations, can help answer that 
question. Here's how: 

1. Go to the catalog.aspx page in Search 
Center, then click Site Actions, Edit Page. 

2. In the Advanced Search Web part, click 
edit, Modify Shared Web Part. 

3. The Advanced Search Web part tool 
pane appears on the right. This pane lets you 
customize most of the search behavior and 
text labels. The tool pane contains the follow¬ 
ing categories: 

Search box. This category lets you show 
or hide text boxes for specific searches, such 
as "All words," "none of these words," and 
so forth. You can also change the label that 
appears with these text boxes. 

Scopes. Here you can specify whether you 
want the scope selector shown to the user. 
When shown, the scope selector appears as a 
check box list so that the user can select more 
than one scope for a search. You can also 
specify which scope grouping to show in this 
list. Scope groups are defined on the Site Set¬ 
tings page under Site Collection Administra¬ 
tion. The default groups available are Search 
Dropdown and Advanced Search. The Show 
the result type picker option lets users specify 
search result item types, such as Microsoft 
Word, Microsoft Excel, PDF, or HTML files; 
this option must be checked to enable the 
properties search. 

Properties. This is where you can enable 
searches by custom fields. The Properties 
text box contains an XML code snippet that 
dictates how the properties are displayed in 
the search form. 

Miscellaneous. This section lets you 
We’re in IT with You 


specify the results display page. By default, 
results are displayed in results.aspx, but you 
can create your own customized results page 
and enter its location here. 

4. Expand the Properties category in 
the tool pane to update the XML snippet 
to include the custom Color Category field. 

Click the ellipsis next to the text box to view 
the XML code. 

5. Locate the <PropertyDefs> node and 
add the following code anywhere in it: 

<PropertyDef Name="ColorCategory" 

DataType="text" DisplayName="Color 

Category"/> 

6. Locate the <ResultTypes> node with 
the DisplayName="All Results" attribute and 
add the following anywhere in it: 

<PropertyRef Name="ColorCategory" /> 

7. Click OK to save changes. 

As Figure 3, page 62, shows, when you refresh 
the search page, you'll see a new value named 
Color Category for property restrictions. 

Manage Metadata 
Property Mappings 

Note that in step 5 above, we referred to a 
property definition with the name ColorCat- 
egory. SharePoint doesn't yet know how to 
search for this property. You need to define 
this property such that it maps to the field 
named Color Category in the Catalog docu¬ 
ment library. This definition is done through 
metadata property mapping. 

SharePoint list and document library 
fields are also referred to as properties. As 

Windows IT Pro APRIL 2008 61 

























StiarePoint PRO Customize MOSS Search 


ir y-. CwftH 

t#flrrh if Kuril... 

** p.:H; 

E»ip(1 rhriai 
■m Wird> 

r*ni ctlhiH IVETdp | 

^fan-nip fW K-iri li 
0«Jr I - i x-.jc k 

r hi:aii 

Ifpp | <*■ 3 

L'rr*rrlT *^rf™.nur> 


■rtm-iii FiYiF-iH-r... 

.dir :. >**¥*: . 


-- 

1=53 


lidYa 





Li 

JH. 

ZjiriMC-rtr 
.utMutwdCw 











Figure 4: Viewing the customized search results page in edit mode 


the SharePoint search engine crawls through 
lists, it indexes the properties, which are 
then referred to as crawled properties. You 
define relationships between list properties 
and crawled properties through Search Set¬ 
ting's Metadata Property Mappings. For the 
example above, you can define a new man¬ 
aged property named ColorCategory and 
map it to the crawled property that points 
to the document library's field named Color 
Category by following these steps: 

1. Navigate to the Shared Services Admin¬ 
istration home page and click Search settings. 

2. In the Crawl Settings section, click 
Metadata property mappings. 

3. Click New Managed Property in the 
toolbar. 

4. Enter ColorCategory for Property 
name. 

5. Make sure Text is selected under The 
type of information in this property. 

6. In the Mappings to crawled properties 
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section, click Add Mapping. 

7. In the Crawled property selection dialog 
box, select the property labeled ows_Color_ 
x0020_Category(Text), then click OK. Note 
that all custom fields in lists and docu¬ 
ment libraries are prefixed with ows_ in the 
crawled properties index. Spaces in field 
names are translated to _x0020_. 

8. Click OK to save the property. 

You've now created a property definition 
that maps to the Color Category field. After a 
full crawl of the site, you can start using this 
property definition in the advanced search 
page to get targeted results. 

Customize Search 
Results 

By default, the Search Center displays results 
in the results.aspx page. You can customize 
this page or create your own results page. 
For example, consider the document library 
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with the custom Color Category field. When 
a user searches against the Catalog scope, 
you want the search results page to display a 
field named Color Category. You can achieve 
this by modifying the XSL markup of the 
Search Core Results Web part in the search 
results page. 

Start by performing a search with the 
Catalog scope so that you get a results page 
where only items that fall within the Catalog 
scope are displayed. After you have such 
a page, follow these steps to create a new 
search results page: 

1. Click Site Actions, Create Page. 

2. Enter a Title (e.g., Catalog Results) and 
a URL Name (e.g., catalogresults.aspx) for the 
new page. 

3. Select the (Welcome Page) Search 
Results Page layout, then click Create. 

After step 3, you'll see the catalogresults.aspx 
page in edit mode, which shows its various 
Web parts. Search Core Results is the Web 
part that displays the search results. You need 
to modify this Web part to include the Color 
Category column in the search results view. 
In the Search Core Results Web part, click 
edit, Modify Shared Web Part. This action 
displays the Web part properties tool pane. 
As Figure 4 shows, the tool pane contains the 
following categories: 

• Results Display/Views—In this section, 
you specify search results to display per 
page, sentences to show in the results 
display, and so forth. 

• Results Query Options—This section lets 
you specify options such as duplicate 
results removal, search term stemming, 
and noise word inclusion. Word stem¬ 
ming matches a search word with its 
grammatical variants; for example, the 
word crawl stems to crawls, crawled, 
crawler, and so forth. Noise words, also 
known as stop words, are words that 
aren't significant indicators for content, 
such as the word the. 

• Fixed Keyword Query—This section lets 
you enter a specific keyword to automati¬ 
cally include with every search 

• Miscellaneous—Here you can narrow the 
scope of search results, and also choose 
options such as Show Action Links, Dis¬ 
play 'Alert Me" Link, Display "RSS" Link, 
and so forth. 

Below these categories, you'll find the Data 
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View Properties section, which contains the 
XSL markup that controls the HTML to ren¬ 
der the search results dataset. So, to continue 
the process of customizing the results page: 

4. Expand the Results Query Options 
category. 

5. Add the following line of XML to the 
Columns node in the Selected Columns text 
box, then click OK: 

<Column Name="ColorCategory'7> 

Remember that we've already defined the 
ColorCategory column. The SharePoint 
search engine returns data internally in XML 
format. This XML data is transformed to an 
HTML view through XSL markup. 

6. Under the Data View Properties sec¬ 
tion, click XSL Editor to display the Text Entry 
dialog box with the XSL markup that renders 
the XML results into HTML. 

7. Copy the XSL markup to an external 
text editor, such as Microsoft Office Share- 
Point Designer 2007. SharePoint Designer is 
a WYSIWYG editor, so it helps you visualize 
the results of the XSL code as you edit. 


8. Locate the result template node in the 
markup; its first line looks like this: 

<xsl:template match= ,, Result"> 

9. Add the following before the line <p 
class="srch-Metadata"> in the result tem¬ 
plate node: 

Color Category: <xsl:value-of 
select="colorcategory" /> 

Note that the value colorcategory is written in 
all lower case, regardless of how it was written 
in metadata property mapping. 

10. Copy and paste the entire XSL markup 
back into the Text Entry dialog box, then click 
Save. 

11. Click OK to save changes to the XSL 
markup and the Web part. 

Now when you perform a search using 
the search box, you'll see the Color Category 
property exposed in the search results area. 
By following these steps, you can expose any 
property that's already stored in the meta¬ 
data. 


Control SharePoint 
Searches 

You should now have a good idea of how 
you can customize the search experience in 
MOSS 2007. The procedures shown in this 
article, though simple, can easily be leveraged 
to create more meaningful business solutions 
that can crawl and index a large amount of 
disparate data, yet offer end users targeted 
search capabilities to zero in on a specific sub¬ 
set of data. Custom search scope definitions 
also let administrators schedule indexing and 
crawling of each scope separately: Only scopes 
with frequently changing contents need to be 
crawled frequently. This ability not only saves 
server resources, but it also makes the search 
results more accurate and fresh. ^ 
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Tricks & Traps - Ask the Experts 




We’re looking into replacing our 
current Exchange Server 2003 SPI 
server with new server hardware. 




Do you know of any problems we might encounter with hav¬ 
ing a mixed environment of servers running Exchange 2003 
SPI as well as Exchange 2003 SP2? Going straight to SP2 
on new hardware will save us work down the road. 




I haven’t heard of any problems with running a mixed 
Exchange 2003 SPI/SP2 environment as you describe. Be 
aware, however, that if you use a front-end and back-end 
setup, you must upgrade the front-end servers first. So effec¬ 
tively, if you were to have any back-end Exchange 2003 SP2 
servers, then you should upgrade your front-end servers first 
to SP2. 

InstantDoc ID 97944 


—Nathan Winters 


Q: How often does Group Policy 
update security settings, and how 
can I configure that interval? 

A: By default, Group Policy is 
refreshed every 90 minutes (plus a 
random time period up to 30 min¬ 
utes) on domain members, but 
only if Group Policy has changed. 
In addition, every 960 minutes 
(16 hours), security settings are 
reapplied regardless of whether 
any changes to Group Policy have 
been made. 

To modify the value of the 
security refresh from the default 
960 minutes, perform these steps: 

1. Start the registry editor 
(regeditexe). 

2. Navigate to the HI<EY_ 
LOCALJVlACHINE\SOFTWARE\ 
Microsoft^ Windows NT\Current 
Version\Winlogon\GPExtensions\ 
{827D319E-6EAC-11D2-A4EA- 
00C04F79F83A} registry subkey. 

3. Double-click the value 
MaxNoGPOListChangesInterval 
and set it to the desired number of 
minutes. Click OK and close the 
registry editor. 

InstantDoc I D 97943 

—John Savill 

Q: What is automatic site cover¬ 
age and how do I disable it? 

A: Usually domain control¬ 
lers (DCs) register site-specific 
records for their local site in DNS, 
enabling clients to easily find DCs 
and other services that are clos¬ 
est to them. If a site contains no 
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DCs, then DCs in the sites closest 
to that site (calculated by site-link 
costs) will register site-specific 
records for that site as well, to help 
clients find a DC as close as pos¬ 
sible. This is known as automatic 
site coverage. 

With Windows Server 2008, 
your Windows Server 2003 DCs 
might have problems because 
they won't see read-only DCs 
when they check for a DC. There¬ 
fore, the Windows 2003 DCs will 
register records for the site con¬ 
taining the read-only DCs, which 
isn't desirable. 

To disable automatic site cov¬ 
erage, perform the following steps 
on each of the DCs: 

1. Start the registry editor 
(regeditexe). 

2. Navigate to the HI<EY_ 
LOCALJV1ACHINE\SYSTEM\ 
CurrentControlSet\Services\ 
Netlogon\Parameters registry 
subkey. 

3. From the Edit menu, select 
New, DWORD value. 

4. Enter a name of AutoSite- 
Coverage and press Enter. 

5. Double-click the new value 
and set it to 0 to disable it (1 


enables it). Click OK. 
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—John Savill 

Q: I'm an older model Pentium 
III desktop. Recendy, my guy 
has started perusing computer 
marketplace sites and down¬ 
loading model specs. He claims 
he just likes to look. Should I be 
concerned? 

A: Yes. You can try defragging or 
getting a system tune up, but if 
he's already looking, you're prob¬ 
ably just postponing the inevi¬ 
table. Operating in denial doesn't 
help. Accept that you're getting 
older and may not be providing 
for his needs. I've known many 
machines who've been relatively 
happy in their later years being 
the "other" computer, performing 
backups, storing photos, or doing 
simple word processing tasks. As 
long as you keep yourself use¬ 
ful, you might not end up being 
given to the wife's second cousin's 
brother-in-law for experimenta- 

• Yij\. 

tion or spare parts. v 
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Windows Power Tools 




Defrag from Windows Vista’s Command Line 

As usual, you’ll find more functionality by abandoning the GUI 



Mark Minasi 

(www.minasi.com/ 
gethelp) is a senior 
contributing editor for 
Windows IT Pro, an 
MCSE, and the author 
of 25 books, including 
Administering Windows 
Vista Security: The Big 
Surprises (Sybex). 

He writes and speaks 
around the world about 
Windows networking. 


M icrosoft has included an NTFS disk-defrag¬ 
mentation tool in Windows Server products 
since Windows NT 4.0. In fact, it seems as if 
every new Windows version comes with a brand-new 
defrag tool, and Windows Vista is no exception. Vista's 
GUI-based defragmenter has taken a lot of heat for its 
taciturnity: Whereas previous GUI defraggers offered 
a graphical representation of your disk's used and free 
spaces, Vista's GUI defragger merely asks that you trust 
in its effectiveness and not worry about the details. How¬ 
ever, even if the tool is doing a good job, I prefer to know 
what my system is doing. 

So, I turned to the command-line defragger, Defrag 
(defrag.exe), to see whether it offered a bit more func¬ 
tionality than the GUI tool. As is so often the case, it 
did. 

Basic Defrag 

One of the cool things about Defrag is its report, which 
you can get with the tool's -a option (for the basic report) 
or its -a -v option (for the more detailed report). Invoke 
the command as follows: 

defrag <driveletter> -a -v 

The basic report displays the size of the largest block of 
free space and the overall percentage of fragmented files, 
followed by a line of advice about whether you should 

I’ve been guilty of 

ignoring the need for 
defragmentation until 
performance is sluggish. 
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You can meet Mark Minasi 
at the upcoming Windows 
Connections 2008 
conference in Orlando, 
Florida, April 27-30. For 
more information, visit 
www.winconnections.com. 


defragment the drive. The addition of -v adds about 20 
factoids concerning your system, including the average 
size of your files, the degree of fragmentation in NTFS's 
Master File Table (MFT), the total number of fragmented 
files, and so on. 

Don't forget to run Defrag from an elevated Vista 
command prompt—by choosing the Run as Admin¬ 
istrator option when you open the command prompt. 
Defragging involves reading and writing files, and 
because only administrators have the power to read all 
files, Defrag probably requires this privilege elevation. 

Defragging a drive is easy: Simply follow the com¬ 
mand with the letter of the drive to defragment. For 
example, 
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defrag C: 

That command performs a quick, simple defragmenta¬ 
tion that merely attempts to bring together fragments 
that are smaller than 64MB. The reason behind that 
limitation is that you won't see much performance 
impact in joining monstrous hunks of data, compared 
with joining smaller fragments. For example, sequen¬ 
tially reading a file broken into ten 500MB fragments 
would certainly be slower than reading one 5000MB 
chunk, but not by much. But consider reading that same 
file as 500 10MB fragments. The drive's read/write head 
would be dancing all over the platter! 

However, what if you want to go ahead and defrag¬ 
ment fragments smaller than 64MB? Then just add the 
-w option, as in 

defrag C: -w 

Of course, that job will take longer —much longer, 
in some cases. When I tried defragging my 160GB C 
drive with the -w option after running Vista for nine 
months, the procedure took four hours. But, again, if 
"sleek is what you seek" defragging-wise, then -w is 
the way. 

Heavy Duty 

I've sometimes been guilty of ignoring the need for 
defragmentation until performance is sluggish, and it's 
no coincidence that the sluggishness is most obvious 
when I've just about filled the drive. Unfortunately, the 
GUI defragger refuses to attempt a defrag if the drive has 
less than 15 percent of its space free. The command-line 
defragger, however, offers the -f option, which forces 
a defrag even if the drive doesn't have that much free 
space. Now, I'm happy this option exists, but I would 
use this option only in dire circumstances. I'd hate to 
try to defrag a drive full of important information, only 
to find that the defrag process isn't so reliable without a 
lot of free space. 

Finally, Defrag offers the -c option, which defrag¬ 
ments all volumes on the target computer. Armed with 
this information, I've turned off the out-of-the-box 
scheduled defragmenter, and built my own heavy-duty 
defragger by scheduling the command 

defrag -c -w 

Give Vista's Defrag tool a try. After all, a little more 
speed never hurt anyone. ^ 
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Top 10 


Free Virtualization Products 

Build your virtual environment from one of these great, free tools 


Y ou like free software, right? Virtualization is one of 
the fastest growing technologies, and one of the 
key driving factors behind its growth is the fact 
that many of today's premier virtualization products are 
free. This lets organizations use virtualization for many 
different scenarios without spending a lot of money. Let's 
look at the 10 best free virtualization products that work 
with Windows. 


M VMware Player—VMware Player 
doesn't let you create new virtual 
machines (VMs). However, it runs on 
both Linux and Windows hosts, and 
can run both VMware and Microsoft VM images. VMware 
Player is also the basis for VMware's thriving Virtual Appli¬ 
ance Marketplace. You can download VMware Player 
fro m www.vmware.com/download/player. 


9 Xen—Xen is an open-source, hypervisor-based 
virtualization product. You load Xen from a 
Linux host, and the latest releases support 
both Windows and Linux guests. Xen-enabled 
Linux systems can also run under Microsoft's Hyper-V 
virtualization, taking full advantage of the new high per¬ 
formance VMBus architecture. You can download Xen 
fro m www.xen.org/download. 

8 VirtualBox—VirtualBox runs on Windows, 
Linux, and Macintosh hosts, and can run Win¬ 
dows Vista, Windows XP, Windows 2000, Win¬ 
dows NT, and many Linux versions as guests. 
VirtualBox comes in both a commercial and a free ver¬ 
sion. VirtualBox VMs provide audio, USB, and iSCSI sup¬ 
port. You can find VirtualBox a t www.virtualbox.org. 

7 QEMU—A bit different from the other virtual¬ 
ization products listed, QEMU is a processor 
emulator. QEMU isn't an open-source project, 
but it is free software and is utilized by a number 
of other products, including VirtualBox and Win4Lin. 
Its system-emulation mode provides basic support for 
Windows guests as well as DOS, Linux, and BSD. QEMU 
is found a tfabrice.bellard.free.fr/qemu/about.html. 

6 Oracle VM—Not to be left out of the burgeoning 
virtualization market, Oracle began providing 
a free Xen variant in late 2007. You manage 
Oracle VM with a browser-based management 
console. Although the Oracle VM software is free, Oracle 
charges for support. You can download Oracle VM at www 
.oracle.com/technologies/virtualization/index.html. 


5 Virtual Iron Single Server Edition—Best known 
for its virtual infrastructure management capa¬ 
bilities, Virtual Iron also offers Single Server 
Edition, a free, limited-feature version of its 
enterprise-class virtualization product. The free version 
can run no more than 12 VMs and supports a maximum 
Microsoft Virtual Hard Disk (VHD) import or export size 
of 18GB. You can get the Virtual Iron Single Server Edition 
fro m www.virtualiron.com/products. 



4 Microsoft Virtual PC 2007—Virtual PC 2007 
is Microsoft's desktop virtualization product. 
It has host and guest support for Windows 
Vista. It also supports multiple monitors, x64 
host hardware, and hardware-assisted virtualization. 
You can download Virtual PC 2007 from www.microsoft 
.com/windows/downloads/virtualpc. 


3 Microsoft Virtual Server 2005 R2—Microsoft's 
primary virtualization offering for Windows 
Server 2003 hosts, Virtual Server 2005 R2 is 
designed for production server virtualization 
tasks. It provides 64-bit host support but no support for 
64-bit guests. Virtual Server 2005 R2 supports Windows 
Server guests as well as the popular enterprise Linux OSs. 
You can download Virtual Server 2005 R2 from www.micro 
soft.com/downloads/details.aspx?FamilyID=6dba2278- 
b022-4f56-af96-7b95975db 13b. 


Michael Otey 

(mikeo@windowsitpro 
.com) is technical 
director for Windows IT 
Pro and SQL Server 
Magazine. Away from 
work, he enjoys roving 
the forests of the Pacific 
Northwest in a state of 
undress at the head of 
a pack of hunting cats. 
Michael’s favorite color 
is plaid. 


2 VMware Server—VMware Server runs on both 
Windows and Linux, and it provides 32-bit and 
64-bit support for hosts and guests. VMware 
Server 2.0, currently in beta, also has experimen¬ 
tal supportfor Windows Vista and Windows Server 2008. Its 
VM's have audio and USB guest support as well as support 
for snapshots. You can get VMware Server at www.vmware 
.com/download/server. 




Microsoft Hyper-V Server—Hyper-V Server, as a stand¬ 
alone, costs $29. However, it's bundled with certain 
editions of Windows Server 2008, making it essentially 
free for Server 2008 customers. Hyper-V uses mod¬ 
ern hypervisor-based architecture. It requires an x64 
processor with hardware-assisted virtualization, and 
can run Windows and Linux guests. You can down¬ 
load the Hyper-V beta as part of Server 2008 RC1 at www.microsoft 
.com.nsatc.net/downloads/details.aspx?familyid=8F22F69E-DlAF-49F0- 
8236-2B742B354919. # 
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Exchange Backup and 
Recovery 

Replay for Exchange 2007 


Reader: 

Ryan Dorman 
Senior Network 
Engineer 

Product: 

Replay for 
Exchange 2007 

Company: 

Appassure 

Contact: 

www.appassure 

.com 


A t my company, we were having dif¬ 
ficulty performing small restores 
of Exchange backups, and had a 
lack of confidence in the actual integrity of 
our archived data. We also wanted to restore 
the entire Exchange architecture in a shorter 
period of time than we could with our cur¬ 
rent solution, so improving our Exchange 
backup procedures was something we were 
very interested in. 

I began doing some research online by 
looking at reviews and product informa¬ 
tion to find a new Exchange backup and 
disaster recovery solution that would fit our needs. We considered 
products from companies both large and small, including Dell, EMC, 
Network Appliances, and Sonasoft. After our research, we decided on 
Appassure' Replay for Exchange 2007. We went with Appassure for 
a number of reasons, including its impressive method of restoration 
and integrity checking, the fact that the system was storage agnostic 
and didn't lock us into one vendor, and the price was significantly 
less than some of the other vendors. The fact that the product was 
cluster-aware was also a huge plus. 

We decided on using Replay for Exchange 2007 on two Exchange 
2003 clusters. The installation of the Replay product was 
quite easy, requiring only a commodity server and enough 
storage to house the backups and a lightweight agent on the 



—Ryan Dorman, senior networl^n^ 


Exchange server. 

A single reboot 
of each backend 
Exchange node 
was also required. 

The base image 
process, which cre¬ 
ates a baseline for 
all future change 
deltas to be based 
on, was the longest 
part of the installa¬ 
tion. 

Replay for Exchange has completely simplified our Exchange 
backup and disaster recovery strategy. We can now recover user data 
from Exchange down to the individual items in half hour increments 
without taking Exchange offline or going through the process of set¬ 
ting up a Recovery Storage group. 

Our Exchange system gets a heavy amount of use, so due to this 
heavy load on our infrastructure the rate of change to our Exchange 
database was higher than what Appassure had seen in previous 
installations. There were initial problems with snapshots due to this 
high rate of change, but we worked with Appassure support to make 
changes to our installation (such as increased memory on the Replay 
server and moving to 64-bit Windows 2003) and to their code that has 
made the product work in our environment. 
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Microsoft altiris' LANDesk 


^KACE 


Deploy 
in days, 
not months. 



No kidding around. Installing a KBOX by KACE gives you complete systems management in days, 
not months. We’ll also do it for one-third the cost of the big three. Give us a call, let us prove it. 

Welcome to KACE Time. 



Enterprise Management Associates 

2008 Rising Star 




Systems Management. Done. 


www.kace.com/deplovindavs 877.MGMT.D0NE 


KACE and KBOX are trademarks of Kace Networks Inc. All other registered trademarks are owned by their respective companies. 
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Looking for 
a domain? 



domain 



We have already registered 10 million domains. Look 
below to find out why you should choose 1&1 today! 



Best price! 

With l&l's all inclusive pricing, you always know exactly what you 
are going to pay, and you will always find the best price. We don't 
waste money on high overhead costs or on tasteless commercials. 

No catch! 

We treat you fairly: The price we advertise is the price you pay for 
a domain registration. No set up fee and no additional costs. Ever. 

Maximum freedom! 

Your 1&1 domain belongs to you as long as you're with us. You can use 
it to set up an e-mail account or for your website. You can even use 
a different web host without any restrictions. Reserve your name now 
and get started on the web when you're ready. 

Peace of mind! 

Protect your contact information from spammers! Your privacy 
is important. That's why, unlike other domain companies, we offer 
Private Domain Registration free of charge. 

Switch and save! 

You already have a domain? 1&1 does not charge transfer costs 
and you can save immediately with the industry's best prices. If you 
want to save more, upgrade your domain to a hosting package and 
take advantage of our great prices. (See next page!) 


MEMBER OF 


united 

Internet 


Call 1.877.go1and1 








Domains 


of-your-choice.com 


■COm .net|.org| 
.us|.info|.name 


Private Domain 
Registration* 


ICANN Fee 


E-mail Account 


Total Annual Cost 



Yahoo Go Daddy 


$9.95 


$9.00 


Included 


No 

Mailbox 

included 


>95 


From $9.99 


$6.99 


$ 0.20 


FREE 
100 MB 
Mailbox Size 


$ 


17 


18 


Free with all 1&1 domain accounts: 


/ Private Registration* 
/ Search Engine Tools 
✓ Domain Forwarding 


/ 2,000 MB E-Mail Account 
/ 24/7 Support 
/ Starter Website 


























Need a Web Host, too? 
1&1 - One stop for your 


We currently host over 5 million websites. Join 
our online community now and take advantage 
of the following benefits. 


1&1 Hosting 

ALWAYS 

includes 


w i 


FREE 


FREE domains! 


DOMAINS 


If you already have a 1&1 domain and choose to upgrade to a web 


hosting package you will no longer be billed for your domain. Sign up for 
one of our Web Hosting packages and receive up to 5 domain names FREE! 


It's easy to get on the web! 


A website is the easiest and most affordable way to communicate your ideas, 
products and information. When combined with your domain name, your 
website becomes a business card for the virtual world or a full-color brochure. 


1&1 WebsiteBuilder 


Included with all web hosting plans, 1&1 WebsiteBuilder lets you design 
a professional-looking website with no HTML knowledge! Using simple point- 
and-dick prompts and a built-in text editor, your site can be online in minutes. 
Creating your website has never been easier. 


All Inclusive for All Levels! 


1&1 gives you a choice between Linux or Microsoft web hosting at unbeatable 
prices! Our hosting packages are easy enough for any beginner, yet powerful 
enough for the most demanding developer. 
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Call 1.877.go1and1 




















Websites 



1&1 Home Package 

3 months 
FREE!* 







Web.com Hostway 




Included Domains 

Web Space 

Monthly Transfer Volume 

E-mail Accounts 

Mailbox Size 

Search Engine Submission 

Website Builder 

Photo Gallery 

RSS Feed Creator 

Ad-free Blog 

Dynamic Web Content 

Web Statistics 

Starter Software Suite 

90-Day Money Back Guarantee 

Support 


120 GB 
1,200 GB 

1,200 IMAP or POP3 
2,000 MB 
/ 

12 Pages 
/ 


24/7 Toll-free Phone, 
E-mail 




DIY 

GOLD 

1 

- 

5 GB 

12GB 

20 GB 

250 GB 

30 POP3 

250 POP3 

300 MB 

79 MB 

Extra charge applies 

/ 

/ 
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/ 

/ 

/ 

— 

/ 

/ 
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24/7 Toll-free Phone, 
E-mail 

24/7 Toll-free Phone, 
E-mail 
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What’s Hot 


IP Telephony 

3CX Phone System 

O ur company used to have an 
office located in an execu¬ 
tive suite, and the landlord 
owned the PBX system. We've grown 
over the years, and in July 2007 we 
moved into a location with more 
office space. With the move we also 
needed to purchase and install our 
own phone system. We began looking 
at our options, and wanted to go with 
a Windows-based PBX. 

We originally considered going with the open source Asterisk and 
Asterisk based appliances, but also packaged Windows-based PBXs. 
I liked the Asterisk solution, but given that we're a Windows-based 
shop we had plenty of old servers around loaded with Window Server 
2003. After seeing an advertisement for the 3CX Phone System in 
Windows IT Pro we decided to give it a try. Based on my research 
the other Windows based PBXs cost more money and weren't as 
accessible from a trial standpoint. 

We have a 30 extension VoIP phone system for our office, and 
the 3CX software was easy to download, install and run. I had it 
downloaded and running a two extension system in about an hour 
in a test environment. Deployment to production wasn't bad, as 3CX 
provides configuration templates for most popular phones and PSTN 
gateways. What cost the most time was (like most deployments) the 
planning and configuration of the dial plan and extensions. 

One ofmyfavorite features of3CXisthe simple web-based admin¬ 
istration console. I also like that 3CX can use our Exchange server for 
voicemail, which emails our voicemails to our email inboxes. Ease 
of installation was another nice feature, as I performed the entire 
implementation without ever talking to their customer service. We 
did start with the free version, which 3CX supports via their online 
forum. It sometimes took a 12 hours period to get a question 
answered, but there are some pretty dedicated and technical 
people around the world that know this product well and help. 


"I managed to 
create [a dial by 
name feature] 
by recording the 
same information 
and configuring 
the auto-attendant, but a dial by 
name feature that uses a directory 
or the user info contained in the 
extensions would be cool.” 

—Michael R Faster; president 


As for things I would like to improve about 3CX, I do wish there 
was a dial by name feature. I managed to create one by recording 
the same information and configuring the auto-attendant, but a 
dial by name that uses a directory or the user info contained in the 
extensions would be cool. We also struggled a bit until we found a 
good PSTN gateway, but we've been happy a gateway from Patton 
Electronics that we found. It may be more expensive than other 
PSTN gateways, but it's worth it. We also had to manually code the 
configuration files for our Cisco IP phones, but there was lots of good 
information available on the Web to do this. 


What’s Hot continues on page 77 
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Product: 

3CX Phone System 
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WANTED 


FOR DATA BREACHES, IDENTITY THEFT, 
AND HARBORING SPYWARE AND VIRUSES. 



CIOs and IT personnel are at risk of losing vital information and data, and are advised to search for 
alternative computing methods. Desktop PCs and laptops are prone to data breaches, hackers, spyware, 
viruses, and other crippling problems that can destroy IT infrastructures everywhere. 

Devon IT's line of thin client terminals make data theft virtually impossible. Data is stored and managed 
on your enterprise servers and can only be accessed by authorized users.Thin clients provide true PC 
experience without the threats of data theft and robbery. 

Visi t www.devonit.com/wanted or call 1.888.524.9382 for more information,or email info@devonit.com to receive 
FREE White Papers and Case Studies about how thin clients have helped protect companies across the world. 



SafeBook Notebook - Where Security 

Meets Mobility 


• No hard drive, so no sensitive data can be lost 

• Runs anywhere, through wireless, Ethernet, 
or 3G Broadband connections 

• Battery lasts for over 6 hours 

• HIPAA Compliant 

• Starting at $599 



High Powered Desktop Access Device 

• Fastest thin client in the world 

• Increased security 

• Low total cost of ownership 

• Fan less 
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.APPLlGATlLN ASSURANCE 


Replay's™ ultra-fast high-availability and application protection technology 


for Exchange * puts an end to e-mail outages, so get DOCK t 

get back r< 


o won 

o 


appassure.com/back2work 




Are Your IIS Server; Under Attack? 


Block all unwanted 11$ 
traffic with ThreatSentry 


Jj' Vprivacy warn' 

| threatsentry 
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*11$ host ips & application firewall 

• stop known, new & internal threats 

• overcome lapses in patch management 

• reinforce regulatory compliance 


sales@privacyware.com • www.privacyware.com • 732.212.81 10 x235 


SOLUTIONS »> 

FDR WHEREVER 
YD U WANT TD GD 



Whether you need P2V conversions for one-time 
virtualization implementation or for ongoing 
DR strategies,Vizioncore can set 
you on the right path. 


vConverter™ 

• Conversion directly to ESX Server host 

• Quick setup & lightning fast conversion 

• User friendly GUI or CLI for advanced 
level administrators 

• Batch & Schedule modes for automated, 
remote conversions 

• Block-level cloning eliminates risk of data loss 


For more information about 
vRanger Pro with P2V-DR, 
vConverter, or our full lineup 
of software, visit our website at 
www.vizioncore.com 


• Works with leading virtualization platforms 


vRanger Pro with P2V-DR™ 

• Provides P2V, V2Vdisaster recovery 

• Performs a P2V conversion on schedule 

• Restore physical servers as easy asVMs 

• Ability toV2V aVM with a physical RDM 



vizioncore 

08112 
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VIRTUAL INFRASTRUCTURES 
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What’s Hot 


Internet Search 

Google 


I 'm responsible for the overall strategy 
and direction of a large, multinational 
software company. We often have a 
need to embrace and extend our products 
onto the Internet, so using a good search 
application to look for juicy takeover tar¬ 
gets...erm. ..companies to acquire is essen¬ 
tial. After reading about Google in Windows 
IT Pro, we decided to give it a try. 

Using Google is fairly straightforward, 
but what's with the Google name? I still 
don't know what "Google" actually means. 

I know two college lads started the company a few years ago, but with 
an odd name like that it's not immediately clear what the focus of 
the product is. I think it would be easier if Google offered a few extra 
versions for different uses, such as Google Professional Edition for... 
professional users, and Google Home for people who work at home. 
It may also be good to tack a year on the end to make sure that people 
know they're using the latest version. Buying a product named Google 
Desktop Search Essential Edition 2008 would really let me know that 
this product is for me. Right now I'm not so sure. 

Another thing that bugs me is Google's tendency to bundle free 
applications with their paid services. Who are they trying to kid? It 
seems a bit unfair for Google to try and use their market dominance 


in desktop search to push their free online applications, which all 
seem like weak-limbed, pale imitations of Microsoft Office applica¬ 
tions. Besides, I think I'd rather use Windows Live Spaces for storing 
my images, and Office Live Small Business for Web hosting. (Or does 
Office Live Workspace do that? Or is it Windows Office Live?) Regard¬ 
less, I do know where I want to go today, and Windows Live Search 
(or is it Live Search?) helps me get there. 

I also encountered some bugs during using Google, namely in 
their inability to display search results accurately. Here's an example: 
typing in the word Google results in 1,830,000,000 search results, but 
typing in Live Search only finds 140,000,000. What's up with that? 
Even though Windows Li...erm...Live Search works just as well, I 
don't see how it's search results can be so low. Maybe I should call 
some of the people I know in Washington and ask them about that— 
seems like Google may be disenfranchising computer users by sup¬ 
pressing search results of competitive products. Having a PC in every 
home is a great idea, but I'd suggest all those PC users un-bookmark 
Google pronto and look for another way to find their road ahead. 

I definitely don't recommend Google, as I think we.. .erm, Micro¬ 
soft offers a much better search product that works faster, smarter 
and has a cooler name. When you're running a business at the speed 
of thought, wasting time trying to find out what the heck a "Google" 
is just takes time away from making money. ^ 

InstantDoc ID 98321 
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IT support at branch offices typically doesn't justify 
a dedicated on-site person. But when issues arise, 
quick response is still necessary. Unfortunately, most 
remote management equipment is overkill and 
designed for the high-density data center. 


The Lantronix Branch Office Solution Kit 
is a total remote management system for smaller 
sites and distributed IT assets! 

SecureLinx Spicier' 

• KVM-over-IP-non-blocked, BIOS-level 
access to servers 

• Server-powered, zero-U design 


Great first-time buyer 
discounts available! 

(800) 422-7055 


SecureUnx* SLB 

• Remotely manage servers, routers, telecom, 

etc. over IP; SSH/SSLsecurity 

• Remotely manage power to IT equipment over IP 


iSSSSG-fllil 


* Includes a built-in 8-port Ethernet switch 


► Browser based - no client software or licensing 


©2008. Lantronix is a registered trademark, and SecureLinx and SecureLinx Spider are trademarks of Lantronix, Inc. 


LANTRONIX 

www.lantronix.com/branch-office 
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TM r: 


Senlinare PosIGuard 
Ml. of viruses before 


illers oul over 997- of spam and 
hey ever reach your nehiiorh. 


PostGuard™ achieves industry leading accuracy in spam and virus filtering. All 
malicious content is quarantined. No valid emails are ever lost. With anti-virus 
scanning and outbound filtering, PostGuard™ provides complete email 
security to combat today's growing threats. Activation is simple, only 
requiring a simple change to your domain's MX records. There is no software 
or hardware to install, no updates to worry about, and no changes to 
your network. Your users will instantly notice spam and virus free email. 


I have to tell you that I'm always impressed that I get a live 
person on the line when I call with problems. That level of 
customer service is a rare thing these days. We really think a 
lot of Sentinare and the service you provide, and I appreciate 
your taking care of us. — Carrie Caffrey, Danielson Harrigan Leyh & 
Tollefson, LL P http://www.dhlt.com 

1-877-727-9786 


Horn 
Sentina 
PostGuard 
Works 


Spam 

Quarantine 


Mail delivered 
to inbox 


Safely View Your 
Quarantined Mail 


Sentinare Messaging Solutions, Inc. 

309 Cedar Street #72, Santa Cruz, CA 95060 
Email: info@sentinare.com 
www.sentinare.com 


FREE 30-DAY TRIAL, NO CONTRACT, NO 
HARDWARE OR SOFTWARE INVESTMENT 

We provide these additional services: Secure Email Hosting (IMAP/POP) • Encrypted Webmail • Outbound 
Content Filtering • Message Retention and Archival Services (SEC Rules 17a-3 and 17a-4/NASD-compliant) 


AVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVl 

sign up online www.sentinare.com 
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SEND US YOUR INDUSTRY HUMOR! Email your funny screenshots, favorite end-user moments, and humorous IT-related pics to 
rumors@windowsitpro.com. If we use your submission, you’ll receive a Ctrl+Alt+Del coffee mug. 
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Consciousness Notification 


The IT Pro at Home! 


W hat do you do after a long day at the office tinkering with systems and deal¬ 
ing with end-users? We're willing to bet you go home and do the same 
thing! You tinker with your home-networking setup, share media files across your 
systems, and solve the problems your family members are having with their satel¬ 
lite systems. You've got a connected home, and you probably use many of the same 
solutions there as you do at work. That's where Connected Home Media (www 
.connectedhomemag.com) can help. You're not only the IT pro at work—you're 
the IT pro at home! Sign up for the free Connected Home Express newsletter (www 
.windowsitpro.com/email) and get your tips about media sharing, home-network 
security, backup and recovery, home theater, and more! 
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Confirm Delete 


The Internet 1 cannot be stored in the Recycle Bin. 

Are you sure you want to delete The Internet 1 from your desktop? 
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How to Protect and Improve System Performance 

The Top 10 Points to Know about Fragmentation 


; professionals are heroes of the workplace. Whether with cunning 
wit or a Phillip’s head screwdriver, they solve most any computer 
-M. -L emergency However, keeping a computer running at top speed is 
usually preventative maintenance instead of last-minute, adrenaline-surging, 
virus-vaccinating heroics. 


Here are 10 key points to maintain peak 
performance across any network: 

1. The hard-disk is the slowest part 
of any system. 

Say you are operating a 2.5 GHz processor. 
That’s 2.5 billion operations every second. 

A large number of 
hard disks only spin 
at 7200 rotations per 
minute, or 120 cycles 
per second, or 120 
Hz. This means your 
CPU is more than 20 
million times faster 
than the hard disk. The hard disk still has 
mechanical components. Think Terminator 
2®, when a mechanized Schwarzenegger is 
outclassed by the faster, smarter T-1000. 
When the slowest part of your computer 
is making unnecessary reads, the entire 
system is dragged down. 


with Diskeeper boosts access to your most 
frequently used hies by as much as 80%. 
I-FAAST gives systems faster-than-new 
speeds. 

5. Servers are especially susceptible. 

While disk striping improves physical 
I/O capacity and performance, RAID and 
SAN systems simply do not fix fragmenta¬ 
tion where it begins—at the hie system. 
Enormous volumes with heavy read/write 
activity lead to astronomical fragmentation 
rates, making RAID and SAN work harder 
than they should. The 
efficiency of RAID and 
SAN may lessen some 
of the physical effects 
of fragmentation, but 
fragmentation is never 
eliminated. You’ll need 
to buy more and more 


against fragmentation of critical system hies. 
Frag Shield 2.0 prevents crash-inducing 
fragmentation. It’s like Superman® saving 
the day—two days before there’s a problem. 

9. Auto-defrag breathes life into systems. 

It keeps systems at optimum speeds 
and eliminates fragmentation-related per¬ 
formance issues. Thoroughly defragging 
systems adds 2-3 years onto the hardware’s 
useful life. 2 

10. Analyze your network’s performance. 

Poor performance on a remote system can 
easily be mistaken for a slow network. Get 
Disk Performance Analyzer for Networks™. 
This free utility scans networked systems 
for fragmentation. See for yourself how 
fragmentation is affecting your systems. 
This groundbreaking program will provide 
comprehensive reports on how system 
speeds will improve with thorough defrag¬ 
mentation. Visit www.diskeeper.com/wl 1 
and get this free, must-have utility. 

Diskeeper 2008 is the only fully-automat¬ 
ed defragmentation program. It operates in¬ 
visibly in the background and it dynamically 
adapts defragmentation strategies to ht the 




When systems are thoroughly defragmented, 
they run faster and more reliably—period. 


2. Fragmentation has severe effects. 

It’s more than sluggish and crawling 
computer speeds; fragmentation leads to 
crashes, hangs, data errors, hie corruption 
and boot-time failures. Files that suffer frag¬ 
mentation are more difficult and take longer 
to back up. When systems are thoroughly 
defragmented, they run faster and more 
reliably—period. 

3. Real-time defragmentation is necessary. 

Many companies rely on 24/7, mission- 
critical servers. Taking these systems offline 
for maintenance is not an option. But, having 
a server with I/O bottlenecks is also not 
an option. Only real-time, invisible defrag¬ 
mentation fixes this catch-22 situation. 

4. Give your systems faster-than- 
new speeds. 

NTFS best-fit attempts for hie placement 
on hard drives are limited. Diskeeper® 
2008 comes with a new technology called 
I-FAAST™ (Intelligent 
File Access Accel¬ 
eration Sequencing 
Technology) 1 that re¬ 
sequences your hies. 
So, in addition to 
consolidating free 
space, defragmenting 


equipment to compensate. Sooner or later, 
the tortoise catches the hare, and your 
system suffers I/O bottlenecks and slow 
server speeds. 

6. Operate without interrupting productivity. 

The new InvisiTasking™ technology makes 
software transparent. Diskeeper 2008 with 
InvisiTasking will work invisibly in the 
background; only using untapped resources. 
Systems are continually improved without 
any management or impact on a system’s 
usability. 

7. Defragment despite minimal free space. 

The purpose of defragmentation is to 
restore lost speed and performance. A 
defrag engine must be able to operate in 
limited free space because drives with 
extremely limited free space are the ones 
in need of the most help. Diskeeper 2008 
handles millions of fragments and can func¬ 
tion with as little as 1% free space. 

8. Stop fragmentation before it happens. 

Diskeeper 2008 comes with Frag Shield™ 
2.0, a technology that automatically defends 


needs of individual volumes. With new 
defrag engines, Diskeeper 2008 restores 
performance on volumes with as little as 
1% free space. Get rid of slows, bottlenecks, 
and fragmentation-induced crashes. Visit 
www.diskeeper.com/w9 

1 Available on Pro Premier, Server and EnterpriseServer editions, 

2 See white paper at www.diskeeper.com/wpaper 
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with InvisiTasking 

Diskeeper2008 

Maximizing Performance and Reliability— Automatically ™ 

Try it FREE for 45 days! 

Download a free trial at 

www.diskeeper.com/w9 

(Note: Special 45-day trialware is 
only available at the above link) 

Volume licensing and Government/Educatlcr I ,4 rj l cm 
■ available by calling 800-829-6468, extension 4415, 
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Get your FREE file 


management eBook at 


www.brocade.com/ 


take control 


FEEL LIKE YOU’RE STORING EVERYTHING AND MANAGING NOTHING? 
BROCADE FILES MANAGEMENT SOLUTIONS HELP YOU TAKE BACK CONTROL. 

With Brocade Files Management Solutions, you can automatically and transparently migrate 
files to the optimum types of media based on your rules. So you can dramatically lower 
data management costs and gain more control of your file environment without compromising 
users’ needs. And get a lot more breathing room. Get your free eBook on File Data 
Management at: www.brocade.com/take^control 


BROCADE 
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